laardee / serverless-authentication-boilerplate

Generic authentication boilerplate for Serverless framework

Home Page:http://laardee.github.io/serverless-authentication-gh-pages

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

authentication by email/password

AdrienLemaire opened this issue · comments

I need to enable authentication by email/password for my API. This is not basic http auth, as I need to verify the data from a MySQL database.

Would it make sense to create a new "provider" package serverless-authentication-database, that will generate some sort of authorization_token which will return the user id ?

There's a lot of security issues to worry about here, hence I'd love to get your input before I get started.

There is definitely a need for this, at least I need this myself with DynamoDB. I already started to design similar feature few weeks ago, but didn't had time to implement anything that could be shared.

How do you think this could be done so that it would be as general as possible, should the provider take in whole query or just tablenames and fieldnames.

The package name could be serverless-authentication-[SOMETHING]-mysql maybe. And similar for other databases.

I was thinking of using an ORM like sequelize to handle various databases. But I don't think this will work with DynamoDB,

I'm actually a bit surprised that you would consider this feature, I was somehow expecting the answer to be "set up a custom oauth provider then build a module for that provider", since sending user/email and password for every api call could be intercepted more easily by an intruder. Having passwords hashed client-side doesn't make sense as well. But maybe https + cors is safe enough.

For an implementation idea, how about this?

$ curl -k -XGET -H"Accept:application/json" -H"Authorization: Basic <email|username|whatever>:<password>" https://api/function
[{"id":27060,"username":"nobody","email":"nobody@example.com"}]

I implemented it this morning by customizing the authorizer function to intercept authorizations starting with Basic, then returning the policy with principalId being prefixed by 'mysql-'. Also used bcrypt-nodejs to compare the password with the db hashed version.

If this sounds safe enough for you, I'll study the code a bit more and start implementing a new package for it.

I'll try to comment this issue today

My plan was to POST credentials to the sign in endpoint, then the lambda checks (using the provider package) if the username and password are valid and returns authorization token and refresh token in response payload. After that the authorization flow is similar to the oauth providers.

Guess it makes sense :) A bit busy atm, but hopefully I'll be able to set some time aside next month to work on this, thanks for the feedback!

I've been using this project to register users with emails. It doesn't use user-pools, but instead creates a new developer identity using emails.

I'm considering using this library as it's designed for the serverlesss framework, but would have email registration also.

Looking forward to an update :)

commented

So it seems this project only supports login in if you have another provider like google and fb? Does this example allow users to register via email+pass?