Auth Best Practices - Lessons Learned Writing the Most Amazing Auth Library Ever

Transcript

1. Auth Best Practices Lessons learned writing the most amazing auth

   library ever. @rdegges

2. I’m Randall Degges Developer Evangelist at Stormpath Python / Node

   / Go Hacker

3. • User account storage / encryption. • Authentication. • Authorization.

   • REST API management. • Social login. End User Your Webserver Stormpath API Stormpath

4. Part 1: Passwords

5. Creating users

6. What happens if? You leak a copy of your DB.

   Accidental console.log(). Your co-worker steals some passwords.
7. None

8. Password hashing! Give me your passwords!

9. None

10. IMPOSSIBLE TO REVERSE! Dude, lam e :(

11. Popular algorithms • md5 • sha1 • sha256 • sha512

    • bcrypt • scrypt

12. Storing password (safely)

13. Part 2: Sessions

14. browser server cookies Cookies!

15. How do you set cookies? body { "Content-Type": "text/html", "Set-Cookie":

    "session=12345" } body { "User-Agent": "cURL/1.2.3", "Accept": "*/*", "Host": "localhost:3000", "Cookie": "session=12345" }

16. But what do you store? User IDs, normally.

17. Using session cookies

18. None

19. Reading session cookies

20. Part 3: CSRF

21. *ssholes Hey Randall, Check out this picture of my dog!

    It’s sooo cute! PS: Don’t forget to log into your bank account first! <333

22. Preventing CSRF attacks

23. Part 4: Basic Auth body { "Content-Type": "application/json", "Authorization": "Basic:

    asdfjasdgasa", }

24. Authorization header Authorization: Basic: <xxx> id:secret base64(id:secret)

25. Using basic auth

26. Specifying creds

27. Part 5: Best Practices

28. ALWAYS USE SSL! user server secret

29. Secure cookies

30. USE BASIC AUTH FOR SIMPLE STUFF

31. Part 6: In Practice

32. None
33. None
34. None

35. But what about customization?

36. Thanks! @gostormpath @rdegges