Giters

ankushjain2001 / fastapi-react-mongodb

A minimal FARM stack boilerplate / template project to get you started with a Python FastAPI backend, React frontend, MongoDB, and JWT user authentication (via FastAPIUsers).

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Potential problem with auth

rbracco opened this issue · comments

commented

Hi, I'm new to auth in js so I may be mistaken here, but isn't it dangerous to authenticate by checking a plain string permissions in localStorage as is done below in auth.js? Can't the user tamper with LocalStorage and send a request that gives them user permissions even if they shouldn't have them? With a JWT, because we sign it with our secret on the server side, when a user sends a token we can verify that it is valid and that we signed it, but I think by just sending a plain string you risk the user spoofing the permission and claiming to be a user.

Either way thank you for sharing your code, I'm using it to figure out how to integrate fastapi users in React and your code is very helpful. Cheers!

isAuthenticated = () => {
    const permissions = localStorage.getItem('permissions');
    if (!permissions) {
      return false;
    }
    return permissions === 'user' ? true : false;
  };
commented

Hi @rbracco. Thanks for pointing this out, you are totally right. Even I'm pretty new to auth in js and I had my own reservations with this approach as well. One important thing to note is that this project is not suitable for production (obviously).

I will try to look into this problem when time permits and search for the best practices. If you are able to fix this problem in your project, then I will really appreciate it if you share your solution or perhaps create a pull request.

Also, it'll be great if you can raise a similar request in Buuntu's FastAPI-React Project
That is the original project from where I took this code and it has a much more active and experienced group of people.

Btw, you can explore Amazon Cognito or something similar to get much more secure and easier way to auth users.

Cheers!

commented

Thank you for the reply and feedback. I eventually realized this code came from FastAPI-React and so I opened an issue there as well. If I come up with a solution I will reopen and post here. For now I think the best way is to store the token locally and have isAuthenticated make a request to our Users router to validate the token. I will suggest that in the other thread and see if some of the more experienced people have input. Cheers.