Comments (14)
Login is defined by the contents of a signed HTTP-only cookie, so this script can only be loaded from auth.hasgeek.com (or whatever the app's login server is).
from lastuser.
Implementation:
- Script served from
/api/1/login/beacon.js
with a cache timeout of 5/10 minutes and mandatory parameters:key=
client key, '&userid=local user id if present, blank otherwise,
&login=local login endpoint,
&logout=` local logout endpoint. - JSON served from
/api/1/login/status.json
(no JSONP) with explicit no-cache, called by beacon.js to verify user status if it believes the user is logged in, but the client page indicates not, or vice versa. This is to get around the effect of a cache.
from lastuser.
Scenario 1: User is not logged into either Lastuser or client app
- Client app requests
beacon.js?userid=
- Script recognises server and client userid are blank, does nothing.
from lastuser.
Scenario 2: User is logged into both Lastuser and client app, script is not cached
- Client app requests
beacon.js?userid=x
- Script recognises server and client id match, does nothing.
from lastuser.
Scenario 3: User is logged into Lastuser but not client app, script is not cached
- Client app requests
beacon.js?userid=
- Script notices a mismatch, requests for
status.json
- Script confirms user is logged in on server, proceeds to login on client.
from lastuser.
Scenario 4: User is not logged into Lastuser but logged into client app, script is not cached
- Client requests
beacon.js?userid=x
- Script notices mismatch, requests for
status.json
- Script confirms user is not logged into server, logs out on client.
from lastuser.
Scenario 4: User is logged into Lastuser but not client app, script is cached logged out
- Client requests
beacon.js?userid=
, gets cached copy - Script believes server and client userid are blank, does nothing.
- FAIL
Possible fix: the logged out version is always served with no-cache headers.
from lastuser.
Scenario 5: User is logged out on Lastuser but logged in on client, script is cached logged in
- Client requests
beacon.js?userid=
, gets cached copy - Script believes server and client are logged in, does nothing.
- FAIL
Possible fix: don't cache logged in version either. What's the point of the separate status.json
then?
from lastuser.
The only sensible fix to the cache problems appears to be to (a) use database-backed sessions (#89) and (b) push notifications to client apps when a user logs in/out.
from lastuser.
Push notifications can be used to force logout a user, but not for login, since we have a ready identifier (the cookie) for logout, but nothing for login. Therefore a possible solution is that the logged out beacon script is served with no-cache, while the logged in version is cached.
However, logged out pageviews far exceed logged in pageviews, so this makes performance slightly worse for the more common use scenario.
from lastuser.
#89 has resolved the logout problem. When the user now logs out of Lastuser, they also logout of (most) client apps -- anything running the new Flask-Lastuser with login sessions.
The login beacon's job is now to facilitate login alone.
from lastuser.
Looking at this afresh:
- The login beacon could be a static, cacheable resource that examines host cookies to determine course of action.
- The
session
cookie remains HttpOnly as at present since it's contents need to be private. - Lastuser could set another non-HttpOnly cookie that simply carries a flag indicating whether a user is logged in or not
- The login beacon looks for this cookie and if it detects a user, it calls home to ask if it should initiate a login sequence. This part needs more clarification since multiple considerations apply.
from lastuser.
The only way to read Lastuser's cookies from a client app website appears to be by using an iframe and reading that iframe's document.cookie, so that requires another endpoint that is loaded into an iframe:
- Iff there is no user session locally, the client app adds an invisible iframe (via baseframe's networkbar) that loads the beacon page from lastuser's API. Parameters include the client id and local login endpoint
- The iframe receives a JS-readable cookie that indicates if a user is logged in. It also contains a script tag whose code is custom-generated for the client id (and client id alone).
- If the client is trusted (hardcoded into generated script) and document.cookie suggests a user is logged in on Lastuser, it redirects the top frame to the local login endpoint.
- If the client is not trusted but a user is logged in, it phones home to confirm that the user has an access token for this website and that it's safe to log them in.
- If the client is trusted and a user is logged in but doesn't have an access token for this website, it can prompt the user to login.
from lastuser.
Scenario 4 is still broken. Corresponding ticket in hasgeek/flask-lastuser#31
from lastuser.
Related Issues (20)
- Allow client credentials in place of auth tokens for GraphQL endpoint
- Need unique index on lowercase of UserEmail.email HOT 2
- Disambiguate authorship from ownership HOT 1
- Backend service worker reorganisation
- Inferred vs explicit principals HOT 2
- Email addresses are case sensitive HOT 2
- Deprecate .html jinja templates
- Locked status for UserEmail and UserPhone HOT 2
- Support the Credential Management API
- No verification email for custom domain mailboxes HOT 1
- Merging users should be a reversible transaction
- Endpoint to remove external IDs HOT 1
- Remove Organization and Team models from Lastuser HOT 3
- Use bcrypt/scrypt for client credentials
- Support native app URIs
- Replace oauth2client with google-auth
- Replace load_models with ModelView HOT 2
- Use secure cookies HOT 1
- Use secure Lastuser cookie
- Support multiple redirect URIs HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lastuser.