[Security] Implement Authentication

[daltonfury42]

In the current system, anyone with queueID can become the admin. For example, anyone with the queueID can send requests to the backend directly, and say, remove people from the queue.

The right real issue here is that we don't authenticate users. The proper solution to this is to implement authentication

[daltonfury42]

Some updates:

The aim is to sign up users anonymously when they first visit the site. This happens in the background. I am just exploring how Cognito can help us with auth.

Client Side

Currently, on first visit, a userId and tempKey is generated and stored in the local storage. This is used to create an account for the user in the Cognito User Pool.

We also log in using the key and id, and then send a JWT token along with each request to the backend.

The changes are done, and is working on my local, some AWS related setup to deploy this to dev UI are pending.

Backend Side

The backend can use the token to identify the user. So as a next step, the user id of all queues (and queue joining) can be stored in the db.

This would enable us to list all queues that a person has created.

Concerns

We are still vulnerable to MITM. Have to look more into this. https://stackoverflow.com/questions/34259248

[daltonfury42]

Progress: UI directly connects to Cognito, and gets a JWT, which it sends with all requests. At backend, the token is verified, and the userid is extracted and stored into the DB against each queue/token created, in the field ownerId.

Half the endpoints are secured, just have to verify and add checks to remaining endpoints, mostly at token side. For example, when removing a token, we have to throw Access Denied unless the user who requested is the token creator or the queue creator.

[daltonfury42]

https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/

The article says not to use the access_token for authentication. And we are doing that. 🤔

@nirmalkv

[daltonfury42]

Confused... Have to figure it out...

https://auth0.com/docs/protocols/oidc#access-tokens

[daltonfury42]

As per discussion with @thehamzarocks, we need to anyway use the client ID token and not the access token here: https://github.com/SimplQ/simplQ-frontend/blob/master/simplq/src/services/auth.js#L6

[thehamzarocks]

Yes. In addition, we should also check that the aud of the token matches the client id being used.

[daltonfury42]

@thehamzarocks So you are using google sign on directly in Brainylog. We want the use to use the app for as long as he wants without getting the user to login. Is this possible... ?