Comments (11)
We should avoid rolling our own auth at all costs. The maintenance overhead grows over time, along with the anxiety of having to persist sensitive information.
from website.
Should we consider a passwordless authentication method?
I love magic links. For a site that people arguably won't log in/out of frequently, it seems like a good way of deferring the hairy bits of security to a third-party while providing a good experience for users.
from website.
Upgraded this to a core feature and added a high priority, this will be a critical matter to resolve for the MVP
from website.
Should we go with something like Auth0, Firebase Authentication, et cetera.
I had a cursory look at Auth0 and Firebase. They appear to offer similar features and generous free tiers
What stood out with these providers:
- Prebuilt login UIs that we can drop into our frontend.
- SDKs to manage the authentication lifecycle. Ability to easily get an access token from the frontend, and use it to authenticate against a backend API: https://github.com/auth0/auth0-react/#call-an-api and https://firebase.google.com/docs/auth/admin/verify-id-tokens#retrieve_id_tokens_on_clients
- Generous free tier. Firebase auth is completely free (for non-phone auth which I believe is what we're going to use), and the Auth0 free tier maxes out at 7000 active users and unlimited logins.
- User management which eliminates the need for us to persist sensitive information: https://auth0.com/docs/microsites/manage-users/manage-users-and-user-profiles and https://firebase.google.com/docs/auth/web/manage-users
from website.
Since the front end is built with nextjs, we should think of using next-auth with whatever provider we choose. It has support for everything thats been mentioned, comes with its own prebuilt components/pages related to auth and REALLY MINIMIZES the amount of dev work required to set up auth for a serverless application.
from website.
I like the idea of using a service like Auth0 for authN. You get user management, you can use external IdPs if you want, and (usually) the APIs/SDKs are well documented. Passwordless Auth (e.g. Email Magic Link) is also something that can be configured using post of these Identity as a Service platforms.
Disclosure: I work for Okta, which acquired Auth0 so I might be a bit biased. However, a plus with going with Auth0 is that I’ve had an opportunity to ramp up on their stuff and have buddies within Auth0 that can help with troubleshooting as we get off the ground.
from website.
@disposedtrolley I can look into that tomorrow
from website.
I jumpstarted this feature on the branch attached to this issue. Feel free to start contributing
from website.
The ideal solution would be to marry our app to Gatech's federated auth service but I don't think that'll ever see the light of day. We can always ask OIT for help 🤷♂️
One approach would be to permit user authentication and account creation using one of the usual suspects (Git, Google, Microsoft etc.) and block write access till they prove ownership of a valid @gatech.edu email ID. We don't have to store the email, it can be purged after the account is verified or the token expires.
This allows us to offload auth to a different service provider, while keeping user accounts within Gatech.
from website.
https://auth0.com/docs/authenticate/passwordless/authentication-methods/email-otp
Should we consider a passwordless authentication method? For example:
- User enters an email
- Input validation is done to ensure that the email ends in @gatech.edu, thus allowing only GATech students/alumni to review, and ruling out spam reviews
- Authentication code is sent to @gatech.edu email
- Authentication code is entered and verified on the site
- User is logged in :)
We can make use of services like Twilio Sendgrid for this https://docs.sendgrid.com/for-developers/partners/microsoft-azure-2021#create-a-twilio-sendgrid-account
from website.
I'll put my vote down for Auth0, especially if we have someone on the inside!
The free tier caters for up to 7000 MAUs which I'm hoping will be more than sufficient. @driscoll42 dug up some figures on traffic to OMSCentral, but we don't know what proportion of those visitors are logging in.
Do you know if Auth0 can offer better pricing for not-for-profit orgs @kazemicode?
from website.
Related Issues (20)
- [FEATURE] Add `admin` role & UI view HOT 1
- [FEATURE] Add new Fall 2022 courses
- [FEATURE] Add course link to course metadata on [courseid]
- [FEATURE] Configure/add Firebase emulators for full-stack local development
- [FEATURE] Add "Legacy" tag to `ReviewCard` component
- [FEATURE] Add "GT Email" tag to `ReviewCard` component
- [FEATURE] Add production error tracking HOT 1
- [FEATURE] Add speed-dial widget to Recents and Home logged-in views
- [FEATURE] Add edit review functionality
- [FEATURE] Add edit & delete buttons in-line within `ReviewCard` component
- [FEATURE] Add reporting mechanism
- [FEATURE] Filtering by Semester(s) should show averages for that semester(s) HOT 1
- [FEATURE] Add tooltip for course-stats data on landing page
- [FEATURE] Single-Review View HOT 1
- [FEATURE] Store table filter settings in browser local storage
- [FEATURE] Add email to website & README HOT 2
- [FEATURE] Add text to star selections in Add Review form
- [FEATURE] Add additional info such as (has groupwork?, how much writing?, how much coding?) HOT 1
- [FEATURE] Update difficulty level `3` (out of `5`) from `Neutral` to `Medium`
- [FEATURE] Add new view to show user's review
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from website.