Hey all! Been a bit quiet recently hasn't it? I've been busy on some user authentication/password management/security stuff for the past few days. Much though I enjoy streaming the code development process, I think that broadcasting EVERY single line of code is ... uh ... a really bad idea 😅 So I'm going to be working on that for the rest of the week probably. I might get a stream or two in, but otherwise I'll be laboring in the shadows for a little while :male-detective:

bringe 2021-03-10T16:55:22.030900Z

I have a repo here that may be of use as a reference to you: It's session based auth, not token, but some of it may still be useful if you're using token auth.


Ooh damn, I will definitely reference that! Thanks @brandon.ringe


And after some ego swallowing and a couple hours of research, I've decided on session auth after all. Seems easier and safer, and only requires a little refactoring on my end to make it possible to do with http-only cookies

bringe 2021-03-10T20:14:30.031800Z

You're welcome. Yeah if it's a simple app for the browser then session auth fits the bill I think.


Nice touch with the timing attack mitigation btw:

bringe 2021-03-10T22:02:08.032300Z

Ah, yes, thanks. The OWASP material I referenced is really thorough.