Add Auth

[ayroblu]

You guys were talking about auth, just an fyi, I think I already included a basic version in the api (api/routes/auth) with some of the endpoints already defined, its missing things like password resets and stuff but the basics are there, including a bcrypt password hasher

[WesleyYep]

Did this get brought up in today's meeting? I'm more comfortable using something like facebook login - there's a javascript sdk for it.
Then all we would need to do would be to store a list of trusted user and admin emails - no need to worry about passwords/resets/hashing/etc
This also assumes login functionality would only be needed through the website/app - and not the parking meter.

• I'll post on the google group in case the managers have an opinion

[ayroblu]

Using the facebook sdk requires creating a facebook app, getting secret keys etc (something I haven't really worked out for an open source project)
Password hashing is literally a one liner, and again, I've already implemented half of it, its pretty straight forward. Its probably more standard to have both?

[eddiecjc]

Do we have a public Facebook account for OpenCityProject? It is easy to create one and getting the app and the secret keys needed for the SDK to use, I have done it for some projects at work. I think for Google, Twitter etc are similar although I haven't done it personally. Needing to create an account and storing password probably would annoy some paranoid users, also it puts burden and responsibility on our system to protect that password (imagine some people use the same password for their bank accounts, and our app / backend failed to secure any single part of the password handling, and bear in an attacker only needs to find the weakest spot). Given the reason above, I would suggest avoid handling the password in any part of our system if possible. And for Admin/moderators, we will need to come up with a solution of securely assign their roles (maybe the website calls a protected API not exposed to the public). Would you all agree? Regards, Eddie Chiang Sent from a mobile device. Forgive the brevity, the typos and the lack of nuance. On 15/12/2016, at 9:23 AM, Ben Lu <[email protected]> wrote: Using the facebook sdk requires creating a facebook app, getting secret keys etc (something I haven't really worked out for an open source project) Password hashing is literally a one liner, and again, I've already implemented half of it, its pretty straight forward. Its probably more standard to have both? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[WesleyYep]

Yeah I also prefer not to deal with passwords and registration ourselves. Although I see your point Ben, in that it wouldn't be too hard to add.
Maybe both could work, then at least we give the user a choice.
For admin/moderators - the facebook sdk contains a signedRequest field in the response, that provides info about the person calling the login api. I'm assuming it's fairly secure. Hence we could just store a mapping between this identification and their role (admin/mod/normal user).