maxence-charriere
user session, log in / log out
I'm looking for a way to implement user session where:
- app starts with an empty session
- user can sign in and his identity is kept in session
- user can sign out and his session will be deleted
Basically storing the token in the browser would be sufficient for me to implement this. Value that would be kept even if page is reloaded, that I can access and modify at any time.
I wonder what mechanism I should be using for that, I've found this in the documentation, but seems to be for storage only:
// Returns a storage that uses the browser session storage associated to the
// document origin. Data stored expire when the page session ends.
SessionStorage() [BrowserStorage](https://go-app.dev/#BrowserStorage)
oh no :D
- i actually used a local storage to store logged user's struct
- local storage is hackable easily
- implemented AES E2E encryption for BE and FE intercommunication
- encrypted the local storage item
- ???
- stonks
https://github.com/krustowski/litter-go/blob/master/backend/api.go#L16
@krustowski I actually do not understand the problem? The local store belongs to the user. We use https://docs.nats.io/using-nats/developer/connecting/creds for authorization mostly. But if you have something on the frontend that the user is "not allowed" to modify, it will always be hackable.
I wanted user not to be able to modify one field in LocalStorage (user struct). So i overengineered it a bit, used E2E encryption for the BE-FE intercommunication with a shared key, which is compiled into the WASM library a exported via env var for the HTTP server (BE).
Anything on client side can potentially be modified. What I did on https://murlok.io is to use JWT token with asymmetrical keys and check validity on server side before returning any data.
@maxence-charriere this is exactly the basis of what happens when using the NATS distrbuted authentication scheme I linked above.