Auth Best Practices - Lessons Learned Writing the Most Amazing Auth Library Ever

Slide 1

Slide 1 text

Auth Best Practices Lessons learned writing the most amazing auth library ever. @rdegges

Slide 2

Slide 2 text

I’m Randall Degges Developer Evangelist at Stormpath Python / Node / Go Hacker

Slide 3

Slide 3 text

● User account storage / encryption. ● Authentication. ● Authorization. ● REST API management. ● Social login. End User Your Webserver Stormpath API Stormpath

Slide 4

Slide 4 text

Part 1: Passwords

Slide 5

Slide 5 text

Creating users

Slide 6

Slide 6 text

What happens if? You leak a copy of your DB. Accidental console.log(). Your co-worker steals some passwords.

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Password hashing! Give me your passwords!

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

IMPOSSIBLE TO REVERSE! Dude, lam e :(

Slide 11

Slide 11 text

Popular algorithms ● md5 ● sha1 ● sha256 ● sha512 ● bcrypt ● scrypt

Slide 12

Slide 12 text

Storing password (safely)

Slide 13

Slide 13 text

Part 2: Sessions

Slide 14

Slide 14 text

browser server cookies Cookies!

Slide 15

Slide 15 text

How do you set cookies? body { "Content-Type": "text/html", "Set-Cookie": "session=12345" } body { "User-Agent": "cURL/1.2.3", "Accept": "*/*", "Host": "localhost:3000", "Cookie": "session=12345" }

Slide 16

Slide 16 text

But what do you store? User IDs, normally.

Slide 17

Slide 17 text

Using session cookies

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

Reading session cookies

Slide 20

Slide 20 text

Part 3: CSRF

Slide 21

Slide 21 text

*ssholes Hey Randall, Check out this picture of my dog! It’s sooo cute! PS: Don’t forget to log into your bank account first! <333

Slide 22

Slide 22 text

Preventing CSRF attacks

Slide 23

Slide 23 text

Part 4: Basic Auth body { "Content-Type": "application/json", "Authorization": "Basic: asdfjasdgasa", }

Slide 24

Slide 24 text

Authorization header Authorization: Basic: id:secret base64(id:secret)

Slide 25

Slide 25 text

Using basic auth

Slide 26

Slide 26 text

Specifying creds

Slide 27

Slide 27 text

Part 5: Best Practices

Slide 28

Slide 28 text

ALWAYS USE SSL! user server secret

Slide 29

Slide 29 text

Secure cookies

Slide 30

Slide 30 text

USE BASIC AUTH FOR SIMPLE STUFF

Slide 31

Slide 31 text

Part 6: In Practice

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

But what about customization?

Slide 36

Slide 36 text

Thanks! @gostormpath @rdegges