Answer the question
In order to leave comments, you need to log in
How to implement password/login authorization via WebSocket + WebStorage and without Cookie?
Friends comrades Node.
Share examples for my project (cursach) on NodeJS.
I want to understand the correct principle of implementing authentication with authorization using new solutions. On the server, I have a bicycle on Node. Through the ws module, I want to implement (username / password) authorization for the time being.
Then he will gain weight also (social oauth 2.0).
The point is this. You need to make a connection via WebSocket with the server, on the client use only WebStorage for storage. Without cookies.
Just please show examples if you have them, of course :) I would be very grateful for any information or code.
I tried in this way. If there is websocket support, then I connect to the server; if not, then I show a separate page like "Update your browser".
At successful connection on the server I transfer the data (name/pass) from the form. On the server I check from a DB. Upon successful authentication, I make a simple file in a special folder where the file name is (User ID + Salt). Further on the socket I transfer the name of this file. On the client, on Local-storage, I store it as (sid/data). Further, with each request or sending data to the server, I send the created json object along with the data as (sid / data) which I parse to the server, pull out data and try to find such a file with the same name.
But something pancake does not work, it seems to have minimized it as best I could. Kursach is done on Node + Leveldb and only for Chromium.
Answer the question
In order to leave comments, you need to log in
0) The authorization stage by password and login is correct.
1) As I understand it, the file stores the authentication token. This should be the result of a hash function taken, for example, from the user's salt+email. (The password should definitely not be there).
2) The token must be unique and long. You can verify the uniqueness by simple queries to the database at the generation stage.
3) The token should be stored not in a file, but in the database, in the same table as other user data.
4) How the token is transferred is not clear. You just need to pass the token string itself in the request header and in the server, at the authentication stage, pull it out from there and find it in the user's database by token.
5) With local storage on the client, there should be no problems for such a task, if I understand everything correctly. Just store/take the value when needed.
I don't understand, are you trying to implement cookies through local storage? What for? Even so, you just need to store a long enough randomly generated token and send it with the request. According to it, the server will determine the user. The same session cookie, only with pedals..
If you are writing your own bike, implement something interesting, such as challenge-response authentication.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question