Skip to content

darenyong/auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

54 Commits
config
config
 
 
log
log
 
 
src
src
 
 
.babelrc
.babelrc
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
build.sh
build.sh
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
run.sh
run.sh
 
 

Repository files navigation

Auth

Simple project to experiment with an auth micro-service, so that authentication is (mostly) abstracted away from api.

Backend api will need to verify token, check user role.

Warning

When an app relies on Auth service, it should make sure the user has already successfully logged in before attempting operations that modify data on the server (POST/DELETE).

User Agents may change the method to a GET on redirect according to HTTP spec, section 9.3:

If the 302 status code is received in response to a request using the POST method, the user agent must not automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

Note: When automatically redirecting a POST request after receiving a 302 status code, some existing user agents will erroneously change it into a GET request.

Hardening

  • Investigate XSS (scrub inputs, Http-Only, CSP policies) guide
  • Investigate methods for anti-CSRF discussion

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages