Learn More
Resend Email
8
bytecode
4y

I have been trying to wrap my head around authentication in hapi for the last 6 hours...
Fuck this shit... when did simple,
I HAS A USERNAME
I HAS A PASSWORD
CAN HAS SESSION?
become:
- you magically get a token from somewhere
- you magically verify that token
- you respond with { credentials } //magic
- by some fucking black magic the server probably creates a session without you knowing about it...
- you freak out and write your own authentication scheme only to find out that you cannot read payload of POST requests in the authenticate method
- you get angrier and depressed and write a rant

(to be clear: there is @hapi/basic but I don't think sending a GET request with the URL looking like username:password@domain.tld is very safe...)

rant

help

hapi

what the hell is going on

wtf is jwt
Favorite
Ranter
Comments
  • 1
    4y
    Seriously... I am rethinking my life choices right now... I am tempted to rewrite everything in Java, using MariaDB instead of CouchDB for the database (even though I hate SQL)
  • 2
    4y
    @bytecode I might be wrong in this case, but "sending in URL" usually means basic authentication, where the credentials are passed in a http header in every request.
  • 2
    4y
    Check jwt.io

    The token you get is some json signed with a secret key stored in the backend. That way you don't need to call the db to check the session, just that the signature is valid.
  • 0
    4y
    Try firebase??
  • 1
    4y
    @johnmelodyme That's what I was using for any project I did for my clients... but this is my personal project that I am then going to pass on to my students' club... The requirement is to keep everything on our servers. ...and I also need to implement OAuth login via our information system.
  • 1
    4y
    @bytecode oh ...I see
  • 0
    4y
    The biggest problem is the usage of terminology and best practices around oauth. You'd think that the biggest proponents of OAuth2 folks would be clear and concise about what each of the terminology means.

    I'd suggest reading the docs for Okta to clearly understand what each of the terms mean and how they all connect to create authentication and authorization schemes.

    I have been implementing OAuth2 for the past 3 years and it's only easy until the point I need to verify a token. Authorization becomes a pain the moment you go for multi tenant resources. But that's a story for another day.
  • 0
    4y
    at this point write your own auth for both sides

    oh right that's a lot of work

    rip op
  • 1
    4y
    @terriblecoder I think you misunderstood my post, I need to implement local authentication as well as OAuth.

    And for local auth JWT seems to be the current standard... I just figured out what I was missing, most of the plugins counted on external service generating the token... that's why it got me confused.
  • 1
    4y
    @Parzi actually... I did, I called it the fuckit strategy and fuckitgood scheme.
  • 1
    4y
    @bytecode indeed I misunderstood. Thank you for the clarification. :)
Related Rants
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment