Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auto login via cookie #761

Closed
yoyosaygood opened this issue Jan 19, 2021 · 16 comments
Closed

Auto login via cookie #761

yoyosaygood opened this issue Jan 19, 2021 · 16 comments
Assignees
@andersevenrud
Labels
enhancement

Comments

@yoyosaygood
Copy link

how to record the login status.If I'm already logged in, I'll enter automatically next time
@andersevenrud
Copy link
Member

I will look at this ASAP.

@mikeblackstock
Copy link

Me too I would love to have this capability

@andersevenrud
Copy link
Member

I've started looking into this.

FYI: This will only work for the official database authentication adapter. So no support on PAM, at least for now. Mostly because this requires implementing a custom mechanism.

Any adapter that uses a third party authorization service (like Auth0) can already do this :)

@mikeblackstock
Copy link

FYI: This will only work for the official database authentication adapter.
Is that this one?
https://github.com/os-js/osjs-database-auth

@andersevenrud
Copy link
Member

andersevenrud commented Jan 28, 2021 via email

@mikeblackstock
Copy link

mikeblackstock commented Jan 28, 2021
edited
Loading

re. "Maybe it could be an option?"
I did a quick search, and login systems with cookies for user/password state persistence
use some combination of encryption/hash/salt on the password in the cookie... maybe,
for now, stick to the official database authentication adapter implementation and defer
universality for down the road? Best not implement stuff you're not comfortable with.

@andersevenrud
Copy link
Member

The plan is to generate a remember token that's a unique hash when user logs in and store that in the database and then the token+username in the cookie with some lifetime. When the system starts up it will try to detect this cookie and do a login with the information stored there. If the token has lapsed you'll just get the standard login form with a message to try to log in again.

@andersevenrud
Copy link
Member

Also, this token is destroyed on a regular logout.

andersevenrud added a commit to os-js/osjs-client that referenced this issue Mar 27, 2021
@andersevenrud
Added support for cookie auto login
a89ffd2 
This is the first stage, which implements an insecure version of the
cookie autologin feature.

Ref: os-js/OS.js#761
@andersevenrud
Copy link
Member

Hey y'all. I just released @osjs/[email protected] which includes support for insecure cookie auto-login. I know I said I was not comfortable with this, but I've added a configuration option that will make it possible to switch to a more secure mode in the future (which will then be the default).

So if you update you can now add the following to your config:

{
  auth:  {
    cookie: {
      enabled: true,
      epxires: 7 // days -- this is the default value
    }
  }
}

@andersevenrud
Copy link
Member

This insecure method will work on all authentication adapters since it stores the actual login and not some token, FYI.

@hello-smile6
Copy link

What about a hash of an authentication token that's IP-locked?

@hello-smile6
Copy link

What about a hash of an authentication token that's IP-locked?

So it couldn't be hacked as easily.

@andersevenrud
Copy link
Member

@hello-smile6 That might not be desirable because because if the user changes their connection/location they would not be automatically logged in anymore.

But I suppose it could be added as an option when it comes to the "secure" implementation of this mechanism. It's not possible in the "insecure" method because it's entirely client-side. Not 100% sure though, because if IPs is of concern then there's ways to whitelist this in the front-facing reverse proxy (like nginx), or as middleware on the node server.

@andersevenrud andersevenrud self-assigned this Mar 27, 2021
@andersevenrud andersevenrud mentioned this issue Apr 26, 2021
Open
@mikeblackstock
Copy link

This is great Anders - I configured it and it's running perfectly :)
PS - I'm guessing there's a typo below and 'epxires' should be 'expires'?
M.

Hey y'all. I just released @osjs/[email protected] which includes support for insecure cookie auto-login...
...
auth:  {
cookie: {
enabled: true,
epxires: 7 // days -- this is the default value
}

@andersevenrud
Copy link
Member

@mikeblackstock Glad to hear it! And yeah, that's indeed a typo 😊

@andersevenrud
Copy link
Member

Closing this issue. This will be superseeded by issues in the associated repos.

@andersevenrud andersevenrud mentioned this issue Aug 22, 2022
Closed
@andersevenrud andersevenrud mentioned this issue Jan 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andersevenrud andersevenrud

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@andersevenrud @mikeblackstock @yoyosaygood @hello-smile6