Skip to content

Latest commit

 

History

History
75 lines (58 loc) · 1.51 KB

authentication.md

File metadata and controls

75 lines (58 loc) · 1.51 KB

Authentication

Login

  1. Send username + password to server, like so:

    TEMPLATE <<<< {
    auth: 
        username: 'your-username'
        password: 'your-password'
}

    or

    TEMPLATE <<<< {
    auth: 
        token: 'your-existing-token'
}

  2. Check if user exists in the database.

  3. If exists, generate a-random-token in the server

  4. Add the following object to the session-cache store:

    session-cache[a-random-token] = {
  user: the-user-id 
  date: some-timestamp
}

  5. Send the token to the client:

    TEMPLATE <<<< {
    auth: 
        token: 'a-random-token'
        user: the-user-id 
}

Logout

Send following message to logout:

TEMPLATE <<<< {
    auth: logout: yes 
}

Server responds with the following message:

TEMPLATE <<<< {
    auth: logout: 'ok' 
}

Authenticating messages

  1. Any messages should be dropped if it doesn't exist in the temporary authentication table.

Authorization

  1. At the destination, all messages will be checked if sender is authorized to perform that action.
  2. If unauthorized, send an exception message back.

Security Design

  1. An attacker might get whole password database.
  2. Attacker might (and probably will) know the hash algorithm we are using.
  3. With these informations, he/she shouldn't be able to
    1. Retrieve original password.
    2. Retrieve any sensitive user data