Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remember me, theft prevention doubt #227

Closed
frederikhors opened this issue Apr 8, 2019 · 2 comments
Closed

Remember me, theft prevention doubt #227

frederikhors opened this issue Apr 8, 2019 · 2 comments

Comments

@frederikhors
Copy link
Contributor

frederikhors commented Apr 8, 2019
edited
Loading

Issue opened for the creation of a wiki page that summarizes the doubts and problems for newbies (#210).

Reading this answer (https://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website/244907#244907) I think something like this can be good for authboss:

If the series is present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user's remembered sessions are deleted.

func (m DBStorer) DelRememberTokens(ctx context.Context, pid string) error {
	authToken := new(AuthToken)
	if _, err := DB.Model(authToken).Where("pid = ?", pid).Delete(); err != nil {
		return err
	}
	return nil
}

func (m DBStorer) UseRememberToken(ctx context.Context, pid, token string) error {
	authToken := new(AuthToken)
        // -------> JUST SEARCH FOR PID HERE
	if err := DB.Model(authToken).Where("pid = ?", pid).Limit(1); err != nil {
		log.Println(err)
		return authboss.ErrTokenNotFound
	}
	// theft prevention (https://stackoverflow.com/a/244907/10088259)
        // -------> SEARCH FOR PID AND TOKEN HERE
	if err := DB.Model(authToken).Where("pid = ?", pid).Where("token = ?", token).Select(); err != nil {
                // ----------------> IF NO TOKEN FOR THIS PID DELETE ALL!
		_ = m.DelRememberTokens(ctx, pid)
		log.Println(err)
		return authboss.ErrTokenNotFound
	}
	if _, err := DB.Model(authToken).Where("pid = ?", pid).Where("token = ?", token).Delete(); err != nil {
		log.Println(err)
		return err
	}
	return nil
}

Am I wrong?

Is there a case where it can be possible?
@frederikhors frederikhors mentioned this issue Apr 8, 2019
Open
23 tasks
@frederikhors frederikhors changed the title Remember me, theft prevention. Remember me, theft prevention doubt Apr 8, 2019
@frederikhors
Copy link
Contributor Author

Only now I thought that maybe this issue should be opened on authboss-sample repo.

@aarondl
Copy link
Member

aarondl commented Apr 11, 2019

This is definitely a fine implementation. Feel free to add the suggestion to the wiki backlog.

@aarondl aarondl closed this as completed Apr 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aarondl @frederikhors