1

I've been asked to write an app with registration and login systems. In essence, I've already wrote the first version of their app using PHP, some javascript/jquery and storing data in MySQL. It worked for a time but now they are growing and expanding so they want something more performant and in realtime with push notifications. You know, the whole nine.

I'm always up to a great challenge especially if I need to learn new technologies. So I have leveled up my game and Im now learning to use Nodejs, Postgres and socket.io. So far I'm understanding the basics fairly well. Ran a few tests and it's top notch.

The only thing that has been plaguing me for the past week is security and registration. I've been doing extensive research on OAuth2 and PKCE Flow. I'm trying to figure out the best practices without compromising UX.

I'd be happy to read more on the subject or if there are any API available. I'm thinking perhaps it's not safe to handle registration and login by myself. The methodology used with PHP and MYSQL is very backward in my opinion and I'm looking for something more modern working with Nodejs and Postgres. Most login and registration systems, for example Google, send temporary numbers that expires within 30 mins and they can recognize your device and send alerts if you login from a device they dont recognize asking you if it's you who just logged in. That's the level I'm trying to reach. Any suggestion?

With PHP and MySQL the current registration flow is as follow : enter image description here

Grogu
  • 111
  • 3
  • Welcome. Please edit your question to more clearly define what your requirements and constraints are? You have defined your existing process, but you haven't really done the same thing for your new process. Why couldn't you just re-implement the workflow (ignoring opportunities to harden it a little)? *The methodology used ... is very backward in my opinion* .. can you elaborate on why you think it is backward? *I'm thinking perhaps it's not safe to handle registration and login by myself.* .. do you have a requirement to hand off your registration (or identification) to a 3rd party? – brynk Mar 07 '21 at 02:55
  • @brynk : Thanks for making me think. I dont have a current process implemented with nodejs. I'm mostly doing research before writing anything because I want it done right. I guess I could just implemented the same process but with Nodejs. I thought the process with Php and MySQL was backward because using hash is error prone. Im looking at third party authentication systems but there aren't many out there other than social media based. I want to reduce errors by checking matching emails and username etc. I like token base. Not sure how to do this. Im brainstorming. Im only one guy working. – Grogu Mar 07 '21 at 04:26
  • @brynk : you can close my question. I recognize it doesnt add any value to the site. I will continue this research on my own and try a few things. Im having blank page syndrome. – Grogu Mar 07 '21 at 04:37

1 Answers1

0

I want to post an answer here for future references.

This is mainly for developers who are developing hybrid apps, native apps (ios,Android) and Progressive web apps (PWA).

Most common technologies used with those types of apps (not exclusive) :

  • Cordova
  • Nodejs
  • Vue
  • React
  • Javascript
  • JSON
  • socket.io (websockets)

Most common databases used (not exclusive) :

  • Firebase
  • MongoDB
  • PostgreSQL (still RDBMS but offering support for json/jsonb)

When it comes to me Im using Nodejs, javascript for front-end, storing JSON/JSONB in PostgreSQL and socket.io to listen for updates in my database which allows me to create real-time apps.

At first when I was asked to migrate our app to a more performant and efficient technology, I had no idea what to look for in terms of security but I knew I wanted something more

  • secure
  • efficient
  • performant
  • less error prone

Coming from a PHP/MYSQL background, I realized I had to unlearn a lot of bad habits that I'm still unlearning at the moment.

Things I have to let go of to meet all above requirements :

  • password hashing : md5(), sha1(), hash()
  • username matching

But what's wrong with password hashing and username matching, you may ask?

The short answer : it's error prone, inefficient and very synchronous

The solutions

I found actually 2 solutions to creating more secure and efficient oAuth systems in your apps. Your login and registration systems don't have to be a pain to write.

Solution #1 : JSON Web Tokens (OpenID Connect)

If you are already making heavy used of Javascript in your software, especially JSON and the technologies I've mentioned above, learning to work with JSON Web Tokens (JWT) is standard practice these days. JWT are also certified and follow the OpenID Connect protocols which means any app using JWT is compliant according to the oAuth 2.0.

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties. JWT.IO allows you to decode, verify and generate JWT.

Read more here

Benefits and advantages of tokens

  • create two factor authentication systems (email, username + tokens)
  • single sign-on systems
  • security compliant
  • standard usage of oAuth protocols

Disadvantage of tokens

  • learning curve

Solution #2 : authentication-as-a-service

If you don't want to handle registration and login on your own for security issues, you can safely turn to a third party who will handle it in the background for you and all you have to do is connect your app using their API.

Authentication as a Service (AaaS) provides authentication services like multi-factor authentication, single sign-on, and password management in the cloud. With Authentication as a Service, organizations can control access to their applications and servers from various devices and networks.

There are several different AaaS around, but during my research, the one I found to be open source and free to an extent is auth0.

I'm not using auth0 services nor do I work with them nor am I affiliated to them in any way. This is for education purposes only.

Benefits and advantages of AaaS

  • secure out-of-the box solution
  • human friendly with dashboard and user management
  • remote hosting
  • Easy API docs

Disadvantages of AaaS

  • must rely on third party service
  • Can be pricy in the long run (not exactly open source)

Open Source Projects

Great alternatives to expensive AaaS. The MAJOR plus is that they are self-hosted which means YOU own the data no third party.

  • GLUU Server
  • SuperTokens
  • NextAuth.js (React)
  • ORY.sh
Grogu
  • 111
  • 3