TL; DR
Starting on Friday 13 March, Octoblu will be required all users that register with email / password to use until the reset password functionality and set a new password. Twitter, Facebook, Github or Google authentication simply have to accept the Octoblu Auth application again.
The Old Way
In the past, we have a very traditional mechanism uses a user to verify identity. We would sign users by using an email address and a password. Then our Octoblu backend would then encrypt the password a one-way hash function and save it to a user record in the database. Every time the user logs on, again we warm her password and compare it with the hashed we hold. If they match, the user entered the correct password and is allowed to continue.
The problem
In our Octoblu application, a user on a device corresponds to that is created within Meshblu which we will call the user's device. This allows us to use user logic and to enforce all of our patent pending device safety logic. It meant, however, that a record in user Octoblu the user device would tokens in a decrypted form to the user's behalf, have to take action. That was not acceptable to us, because it meant that we have the ability to have a custom device token.
to decrypt The solution Therefore, we have decided to create a new service. The way we see it, to authenticate users is a completely separate concept from the management of the equipment flows and security groups. We have an authenticator, whose sole job is to share an email address and a password for a user of the device UUID and a unique session tokens, that the user can then take on Octoblu allow Octoblu, on their behalf to act.
Check the user
The first step in the Authenticator is to verify the user's identity. The email / password Authenticator does this by the user device record to Meshblu provided by the e-mail address look up. The authenticator will only consider devices that it has access to and are the correct type. Then check that the password entered by the user matches the hash version until we have saved on their user device.
Subtle nuances
This user device lookup email address opens a security problem. If I do not know a user e-mail address, I can create my own user device directly in Meshblu with the same e-mail address and the permissions set so that it comes in the Authenticator search. If the unit on before the actual user comes, they will instead be their own account to my device. Now they have given me the opportunity to discover unknowingly, spy on, or change that devices that they create or claim to this point. To prevent this, prepends the authenticator for the user to UUID to the password before hashing. Then he closes the record portion of the user's device, which is used to authenticate with his private key. In this way, only those records will actually be created and edited by the Authenticator considered valid, and the user's account can not be misused.
Obtaining a session token
How makes the authenticator the user with a token to handoff when it is not permitted to store them? We Meshblu whitelist permissions model to give the Authenticator enough access to create a new single-use token to represent the user. The token is then passed as a GET parameter Octoblu where it is immediately removed and produces a longer duration token. The token is passed to the user and is immediately forgotten by Octoblu. The user then has their own session tokens locally on your computer and nowhere else, which means that we do not need to store the token on the server.
From there, the user gets just the token to Octoblu whenever they want Octoblu perform an action on their behalf. Every time Octoblu performs the action and rejects prompt the token. In this way, the actual user is the only person who will actually store tokens of any kind outside Meshblu, and the only place that is a decrypted version of the token will always be saved.
We used the same general concept remaining authenticators crafts, one for each of oauth providers, we allow for the application (Google, Facebook, Twitter and Github). Every third user can also own authenticators in Octoblu write, everything we need a UUID is device and one-time token and we will allow the user to manage all their personal devices. For example you could create a SAML Authenticator, you can give Octoblu access to Active Directory users.
What this means for you
We originally created user accounts in the standard Old Way. From Friday 13 March we will all users are required, the / register with Email Password use until the reset password functionality and set a new password. Twitter, Facebook, Github or Google authentication simply have to accept the Octoblu Auth application again.
0 Komentar