Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Auth Best Practices - Lessons Learned Writing the Most Amazing Auth Library Ever

Randall Degges
January 15, 2015
Programming
10
1.2k

Auth Best Practices - Lessons Learned Writing the Most Amazing Auth Library Ever

This talk covers some quick best practices for authentication in general (with code samples given in Node). It covers password hashing, session management, cookies, CSRF, SSL, Basic Auth, and API authentication.

Randall Degges

January 15, 2015
Tweet

More Decks by Randall Degges

See All by Randall Degges
How to Lose 500k in 5 Minutes
rdegges
0
240
Useful Cryptography, An Introduction
rdegges
0
510
12 Factors of Pain and Suffering
rdegges
3
690
An Introduction to PASETO Tokens
rdegges
0
1.2k
JWTs Suck
rdegges
24
24k
Almost Everything You Ever Wanted to Know About Web Authentication in Python
rdegges
7
920
Almost Everything You Ever Wanted to Know About Web Authentication in Node
rdegges
13
1.9k
WTF Are APIs?!
rdegges
4
810
Fuck It: Let's Have Fun - Building a Top Torrents API
rdegges
2
610

Other Decks in Programming

See All in Programming
Avoiding common pitfalls with modern microservices testing
hollycummins
0
140
The Adventure of RedAmber - A data frame library in Ruby
heronshoes
0
200
Mojoliciousでつくる! Webアプリ入門
yusukebe
0
190
Evolving a microservice architecture: how to right-size your services
cer
PRO
0
620
PO,SMに送るテスト自動化の8原則に5箇条を添えて / scrumniigata2023
pineapplecandy
2
710
Webフロントエンドのための実践「テスト」手法 CodeZine Night #1
takefumiyoshii
19
5.2k
OpenSearchを使って ごちクルの検索画面を爆速にする
konpay
0
140
Kotlin Multiplatform Library 배포하기
fornewid
0
200
new_urlparser.pdf
yosuke_furukawa
PRO
1
250
「無ければ作る」Backlogに欲しい機能を自分で作った話
nsuz
0
130
Revisiting TypeProf - IDE support as a primary feature
mame
1
190
GitHub Copilotを使って ちょっと楽にUnitTestを書けるようになった
totokit4
2
1.4k

Featured

See All Featured
Rails Girls Zürich Keynote
gr2m
89
12k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
The Power of CSS Pseudo Elements
geoffreycrofte
54
4.5k
The Brand Is Dead. Long Live the Brand.
mthomps
48
3.7k
Git: the NoSQL Database
bkeepers
PRO
419
60k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
658
120k
Making the Leap to Tech Lead
cromwellryan
118
7.8k
Why Our Code Smells
bkeepers
PRO
327
55k
Support Driven Design
roundedbygravity
88
9k
Web Components: a chance to create the future
zenorocha
304
41k
Fireside Chat
paigeccino
18
2.1k
Mobile First: as difficult as doing things right
swwweet
213
8k

Transcript

  1. Auth Best Practices
    Lessons learned writing the most
    amazing auth library ever.
    @rdegges

    View Slide

  2. I’m Randall Degges
    Developer Evangelist at
    Stormpath
    Python / Node / Go
    Hacker

    View Slide

  3. ● User account storage /
    encryption.
    ● Authentication.
    ● Authorization.
    ● REST API management.
    ● Social login.
    End
    User
    Your Webserver
    Stormpath API
    Stormpath

    View Slide

  4. Part 1: Passwords

    View Slide

  5. Creating users

    View Slide

  6. What happens if?
    You leak a
    copy of your
    DB.
    Accidental
    console.log().
    Your co-worker
    steals some
    passwords.

    View Slide

  7. View Slide

  8. Password hashing!
    Give me your
    passwords!

    View Slide

  9. View Slide

  10. IMPOSSIBLE TO REVERSE!
    Dude, lam
    e :(

    View Slide

  11. Popular algorithms
    ● md5
    ● sha1
    ● sha256
    ● sha512
    ● bcrypt
    ● scrypt

    View Slide

  12. Storing password (safely)

    View Slide

  13. Part 2: Sessions

    View Slide

  14. browser server
    cookies
    Cookies!

    View Slide

  15. How do you set cookies?
    body
    {
    "Content-Type": "text/html",
    "Set-Cookie": "session=12345"
    }
    body
    {
    "User-Agent": "cURL/1.2.3",
    "Accept": "*/*",
    "Host": "localhost:3000",
    "Cookie": "session=12345"
    }

    View Slide

  16. But what do you store?
    User IDs, normally.

    View Slide

  17. Using session cookies

    View Slide

  18. View Slide

  19. Reading session cookies

    View Slide

  20. Part 3: CSRF

    View Slide

  21. *ssholes
    Hey Randall,
    Check out this picture of my dog! It’s sooo cute!
    PS: Don’t forget to log into your bank account
    first! <333

    View Slide

  22. Preventing CSRF attacks

    View Slide

  23. Part 4: Basic Auth
    body
    {
    "Content-Type": "application/json",
    "Authorization": "Basic: asdfjasdgasa",
    }

    View Slide

  24. Authorization header
    Authorization: Basic:
    id:secret
    base64(id:secret)

    View Slide

  25. Using basic auth

    View Slide

  26. Specifying creds

    View Slide

  27. Part 5: Best Practices

    View Slide

  28. ALWAYS USE SSL!
    user server
    secret

    View Slide

  29. Secure cookies

    View Slide

  30. USE BASIC AUTH FOR
    SIMPLE STUFF

    View Slide

  31. Part 6: In Practice

    View Slide

  32. View Slide

  33. View Slide

  34. View Slide

  35. But what about customization?

    View Slide

  36. Thanks!
    @gostormpath
    @rdegges

    View Slide