[ IMPR ] hashed passwords #237
Conversation
|
@codekansas My local environment isn't properly set up yet to test this unfortunately, will need to take some time to set up local dynamo db instance, etc. But this should be the general extent to what we need added.
|
Winston-Hsiao
force-pushed
the
236-hashed-password
branch
from
0260a63 to
4dd551f
Compare
Approaches I've seen in the past is having a nested OAuth account type related to the User model that can be defined or undefined (in the case that someone signs up using google/github oauth, we still make a User object like with standard sign up. We would also have to make hashed_password optional for the User model in that case. So all Users are lumped in that one type/collection which is good, and we can distinguish login/auth method based on if they have a linked account or a hashed_password set. We'll have to adjust the various models we have now to get User data more normalized and then support the account type variants, rather than having them all be separate. |
Winston-Hsiao
force-pushed
the
236-hashed-password
branch
from
94d67e2 to
1b746a2
Compare
|
Relatedly, we should run some checks, both client-side and server-side, that the password the user inputs is actually secure (e.g. we ought to reject I am no fan of "must have an uppercase character/number/etc" requirements and think zxcvbn is a much better solution. |
agreed on both client and server side validation for password strength. also agreed, I've implemented "must have an uppercase character/number/etc" myself in my own project and worry sometimes it's too much/annoying for new users, zxcvbn looks like a great solution, great suggestion. |
| github_id=github_id, | ||
| google_id=google_id, |
There was a problem hiding this comment.
is it advisable to keep these fields here? what are we going to use them for? in theory we could look this up from OAuth if we need to (although it would be kind of gross), i'm just not sure what we would use these IDs for once we have already retrieved the email. apologies if you'd addressed this already in the doc
There was a problem hiding this comment.
good point,
only case I could see now is if someone wanted to unlink an OAuth provider. We have their user data already loaded (they're a signed in user and want to set a password and unlink the provider without deleting/resetting their account and all their listings/artifacts/data), we can then backtrace and search the OAuthKey based on their linked/associated OAuthProvider (that we have stored on their user object) otherwise we'd have to somehow persist the OAuth token past sign up and in cookies or something. Then we'd do the CRUD to delete the key and set their provider to empty string, also for consistency in the user model if a hashed_password value is not set it is assumed they have a populated github_id or google_id so having the 2 string fields exist could be useful for some validation checks and in terms of db storage space it's pretty light and not much of a concern.
There was a problem hiding this comment.
Leaving in for now, resolved everything else and need approval for merge.
But can revisit this in the future if it really seems redundant/unnecessary we can remove them to keep the user model more lean.
Notable changes/additions:
created_atandupdated_atfields to user (set on User creation)email_verified_atfield for when email verification is completed (has to be set in email verification api route, should be set automatically by default for standard auth methods)New npm packages:
New pip packages:
argon2idorscryptas alternatives to bcrypt itself