[FEATURE] User Authentication about website HOT 11 CLOSED

We should avoid rolling our own auth at all costs. The maintenance overhead grows over time, along with the anxiety of having to persist sensitive information.

from website.

Should we consider a passwordless authentication method?

I love magic links. For a site that people arguably won't log in/out of frequently, it seems like a good way of deferring the hairy bits of security to a third-party while providing a good experience for users.

from website.

Upgraded this to a core feature and added a high priority, this will be a critical matter to resolve for the MVP

from website.

Should we go with something like Auth0, Firebase Authentication, et cetera.

I had a cursory look at Auth0 and Firebase. They appear to offer similar features and generous free tiers

What stood out with these providers:

• Prebuilt login UIs that we can drop into our frontend.
• SDKs to manage the authentication lifecycle. Ability to easily get an access token from the frontend, and use it to authenticate against a backend API: https://github.com/auth0/auth0-react/#call-an-api and https://firebase.google.com/docs/auth/admin/verify-id-tokens#retrieve_id_tokens_on_clients
• Generous free tier. Firebase auth is completely free (for non-phone auth which I believe is what we're going to use), and the Auth0 free tier maxes out at 7000 active users and unlimited logins.
• User management which eliminates the need for us to persist sensitive information: https://auth0.com/docs/microsites/manage-users/manage-users-and-user-profiles and https://firebase.google.com/docs/auth/web/manage-users

from website.

Since the front end is built with nextjs, we should think of using next-auth with whatever provider we choose. It has support for everything thats been mentioned, comes with its own prebuilt components/pages related to auth and REALLY MINIMIZES the amount of dev work required to set up auth for a serverless application.

from website.

I like the idea of using a service like Auth0 for authN. You get user management, you can use external IdPs if you want, and (usually) the APIs/SDKs are well documented. Passwordless Auth (e.g. Email Magic Link) is also something that can be configured using post of these Identity as a Service platforms.

Disclosure: I work for Okta, which acquired Auth0 so I might be a bit biased. However, a plus with going with Auth0 is that I’ve had an opportunity to ramp up on their stuff and have buddies within Auth0 that can help with troubleshooting as we get off the ground.

from website.

@disposedtrolley I can look into that tomorrow

from website.

I jumpstarted this feature on the branch attached to this issue. Feel free to start contributing

from website.

The ideal solution would be to marry our app to Gatech's federated auth service but I don't think that'll ever see the light of day. We can always ask OIT for help 🤷‍♂️

One approach would be to permit user authentication and account creation using one of the usual suspects (Git, Google, Microsoft etc.) and block write access till they prove ownership of a valid @gatech.edu email ID. We don't have to store the email, it can be purged after the account is verified or the token expires.

This allows us to offload auth to a different service provider, while keeping user accounts within Gatech.

from website.

https://auth0.com/docs/authenticate/passwordless/authentication-methods/email-otp

Should we consider a passwordless authentication method? For example:

1. User enters an email
2. Input validation is done to ensure that the email ends in @gatech.edu, thus allowing only GATech students/alumni to review, and ruling out spam reviews
3. Authentication code is sent to @gatech.edu email
4. Authentication code is entered and verified on the site
5. User is logged in :)

We can make use of services like Twilio Sendgrid for this https://docs.sendgrid.com/for-developers/partners/microsoft-azure-2021#create-a-twilio-sendgrid-account

from website.

I'll put my vote down for Auth0, especially if we have someone on the inside!

The free tier caters for up to 7000 MAUs which I'm hoping will be more than sufficient. @driscoll42 dug up some figures on traffic to OMSCentral, but we don't know what proportion of those visitors are logging in.

Do you know if Auth0 can offer better pricing for not-for-profit orgs @kazemicode?

from website.