Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Auth Best Practices - Lessons Learned Writing the Most Amazing Auth Library Ever

Auth Best Practices - Lessons Learned Writing the Most Amazing Auth Library Ever

This talk covers some quick best practices for authentication in general (with code samples given in Node). It covers password hashing, session management, cookies, CSRF, SSL, Basic Auth, and API authentication.

56badf521701d4f9b3a394d3ef6e90c4?s=128

Randall Degges

January 15, 2015
Tweet

Transcript

  1. Auth Best Practices Lessons learned writing the most amazing auth

    library ever. @rdegges
  2. I’m Randall Degges Developer Evangelist at Stormpath Python / Node

    / Go Hacker
  3. • User account storage / encryption. • Authentication. • Authorization.

    • REST API management. • Social login. End User Your Webserver Stormpath API Stormpath
  4. Part 1: Passwords

  5. Creating users

  6. What happens if? You leak a copy of your DB.

    Accidental console.log(). Your co-worker steals some passwords.
  7. None
  8. Password hashing! Give me your passwords!

  9. None
  10. IMPOSSIBLE TO REVERSE! Dude, lam e :(

  11. Popular algorithms • md5 • sha1 • sha256 • sha512

    • bcrypt • scrypt
  12. Storing password (safely)

  13. Part 2: Sessions

  14. browser server cookies Cookies!

  15. How do you set cookies? body { "Content-Type": "text/html", "Set-Cookie":

    "session=12345" } body { "User-Agent": "cURL/1.2.3", "Accept": "*/*", "Host": "localhost:3000", "Cookie": "session=12345" }
  16. But what do you store? User IDs, normally.

  17. Using session cookies

  18. None
  19. Reading session cookies

  20. Part 3: CSRF

  21. *ssholes Hey Randall, Check out this picture of my dog!

    It’s sooo cute! PS: Don’t forget to log into your bank account first! <333
  22. Preventing CSRF attacks

  23. Part 4: Basic Auth body { "Content-Type": "application/json", "Authorization": "Basic:

    asdfjasdgasa", }
  24. Authorization header Authorization: Basic: <xxx> id:secret base64(id:secret)

  25. Using basic auth

  26. Specifying creds

  27. Part 5: Best Practices

  28. ALWAYS USE SSL! user server secret

  29. Secure cookies

  30. USE BASIC AUTH FOR SIMPLE STUFF

  31. Part 6: In Practice

  32. None
  33. None
  34. None
  35. But what about customization?

  36. Thanks! @gostormpath @rdegges