REMINDER
Do I really have to learn to code to do anything useful?
-
@Academy-for-Certification-Training-Ltd
And for good reason, security issues in the Video guide:
- The eMail input is not checked for validity.
- Token is not payload size checked (Doesn't matter in this case)
- Same with Password input (Probably checked on DB Layer)
- Token is always the same, should be unique for every session
- Token can be stolen via javascript (Example, any script you add to the site, like chat, can grab the token and re-use it to authenticate). Better would be a secure cookie, that cannot be stolen using scripting.
- Session lifetime is infinite, it never expires.
- Token is in plaintext, should be encrypted and hashed with secret internally to verify it's validity (Preferably use JWT instead).
- Protecting secret content with javascript, disable javascript and anyone can access the page content.
- eMail is not verified by link (As should be done with a one-time JWT token)
- Logins aren't rate-limited, so someone can brute-force it until you run out of API function time - thus, no one can login any more until you pay for more API time, rinse and repeat...
So why am I still using it?
Because we've built our own authentication system that we're going to use. -
@ThomasD FYI we do have plans to add a premade auth system for Authentication, but as ALL premade components it will be limited in terms of features and customization.
Our process is to always focus first on having fully customizable solutions with source code and with cloud backend
then later we do create plugins based on that. -
@Joseph-Benguira That's great! When I inquired about it the past xx times, it wasn't on the table. Glad to see it coming up
The customization is what what I love most about this system and why we choose it, but the majority of sites we'll create won't need customized authorization.
And I'm sure very few in total will need it. For example, being able to check if the user is currently logged in, inside of an API function, goes a long way and don't need custom authorization layer.
-
@Joseph-Benguira Are user discussion forums on the roadmap? Also is there a link to the roadmap, it might answer many more questions
-
@Academy-for-Certification-Training-Ltd
Forums is way too difficult to make usable, I'd rather they focus on what's currently in the system.
There's basically only two forums businesses host these days, NodeBB, PHPbb with vBulletin still hanging on. I always recommend NodeBB (Like Appdrag is using now), but it has to be properly managed.
-
@ThomasD There was a recent request for a How to section to be added to the community. I think the idea is sound for someone like me who is more interested in how to implement a specific feature, even if that means using a third party tool or software solution rather than getting instructions on how to code it myself. Having a learning academy is nice but ultimately I want the end result and not how to get to the end result.
-
@Academy-for-Certification-Training-Ltd
Yeah, I have a list of articles I'm meaning to add to the How-To section, that's why I suggested it.
Just need to finish the project I'm currently working on.
-
@ThomasD I wait with bated breath
-
@ThomasD Does NodeBB also apply to commenting on blog posts or is that something different?
-
@Academy-for-Certification-Training-Ltd That's different, I'd suggest adding Disqus script widget or the Facebook Comments script widget.
Facebook adds some advantages like marketing targets and segmentation based on visits, but it could also be blocked by Firefox and Adblockers these days.