Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Offline multi-user authentication #172

Open
ghost opened this issue Nov 26, 2019 · 5 comments
Open

Offline multi-user authentication #172

ghost opened this issue Nov 26, 2019 · 5 comments

Comments

@ghost
Copy link

ghost commented Nov 26, 2019

Hi all,

At the risk of asking a duplicated question, does anyone have a flow using Hoodie that allows for offline multi-user authentication?

I am developing an app that needs to allow a user in when they are offline, and I'm just wondering how best to do this?

The flow I have at the moment in my head is:

  1. A new user signs up. This will only ever work when online
  2. The new user signs into the app (still online). Hoodie does its thing and returns some token/cookie which then gets stored on the device / backend DB.

Next day
3. user signs into the app again. Hoodie checks the connection state, sees that we are offline, and therefore uses the saved user token and lets the user in. If no token exists, of the token is invalid, the user is denied.

My questions with this though are:

  • Should I be storing a token on the client or in a DB on the backend?

  • How does Hoodie authenticate the token is valid / not expired / password correct / user exists etc. when offline?

Thanks
Peter
@gr2m
Copy link
Member

gr2m commented Nov 26, 2019

If the user does not sign out between step 2 & 3, there should be no problem, the user remains signed in. Hoodie does store the authentication in the client, so it is persisted between page reloads.

We had ideas about allowing for offline sign outs which out somehow securely encrypt your data. Then you can sign in again offline which would decrypt your data. That would be great as a default anyway, because it would greatly speed up signing in, as it would not require the full data bootstrap after sign in, only the changes since your last local sign out.

@ghost
Copy link
Author

ghost commented Nov 26, 2019

OK cool. This makes sense to me. I've been investigating how to use services like Auth0, but they don't really seem to support authentication when the user is offline.

What do you suggest for security though? Given the username / password will technically be stored in a DB located on the client (i wish I could do it another way), as well as the data, is there nodejs plugins that encrypt/decrypt data in a pouchdb/couchdb?

@gr2m
Copy link
Member

gr2m commented Nov 26, 2019

Password is never stored, only a hash, and only in the database. In the browser we only store the session ID.

There is something called crypto couch or similar, but I haven’t worked with it myself.

@ghost
Copy link
Author

ghost commented Nov 26, 2019

that's great. is it just SHA-256, or does hoodie employ something like PBKDF2?

Just trying to decide if i just let Hoodie be awesome, or if i write a plugin to implement a stronger salt + hash algorithm.

My app will be storing medical records, so I want to make it as strong as possible for authentication, and implement some sort of DB encryption.

thanks for your help

@gr2m
Copy link
Member

gr2m commented Nov 26, 2019

Hoodie is delegating authentication to CouchDB, it's using PBKDF2 by default if I recall correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gr2m