[Closes #39, Closes #48] API client can authenticate a user by email/password, test db fixtures helper added #65

francisli · 2024-03-28T23:01:14Z

No description provided.

…lpassword

francisli · 2024-03-28T23:28:33Z

Implementing CSRF tokens involves adding an additional request to get a token before submitting.

But I'm still not convinced we actually need them to mitigate CSRF attacks. If we use the SameSite=strict setting on our cookies cookie, then browsers will not send the cookie when a request is initiated on a different (i.e. attacker's) site.

Also, since our API is a JSON-based API, they can only be invoked from XMLHttpRequests (i.e. not form submissions), which are also subject to CORS settings, which also restrict the ability for attackers to call the API from different (i.e. attacker) sites.

So I think we can reduce the complexity of our API by removing the CRSF related code...

michaelyshih and others added 6 commits February 23, 2024 01:27

updated node modules in container to fix esbuild storybook err

fa17e39

sample auth route

dda7e8a

add csrf and session package

0fd49a8

sample local auth strategy

75aaf4c

Merge branch 'dev' into 39-api-client-can-authenticate-a-user-by-emai…

8349ca6

…lpassword

Remove duplicate call to dotEnv, add an example.env file for reference

515d6eb

francisli linked an issue Mar 28, 2024 that may be closed by this pull request

API client can authenticate a User by email/password #39

Closed

francisli marked this pull request as draft March 28, 2024 23:01

francisli added 9 commits March 28, 2024 16:35

Remove csrf token protection

5b7563e

Lint changes

d28b274

Fix root test

bc2407c

Setting up auth plugin

182b405

Add test fixtures support, auth test

fdfe7f5

Add auth tests

6b0e859

Naming tweak

b048099

More cleanup/naming tweaks

2e9281f

More cleanup

d36522f

francisli changed the title ~~[Closes #39] WIP API client can authenticate a user by email/password~~ [Closes #39] API client can authenticate a user by email/password Mar 29, 2024

Set up .env in CI

0712248

francisli changed the title ~~[Closes #39] API client can authenticate a user by email/password~~ [Closes #39, Closes #48] API client can authenticate a user by email/password, test db fixtures helper added Mar 29, 2024

francisli marked this pull request as ready for review March 29, 2024 23:02

francisli added 2 commits March 29, 2024 16:04

Remove console.log

417353a

New server models, more auth testing, more fixtures

38bd765

francisli requested review from javtran and michaelyshih March 30, 2024 01:13

francisli merged commit 2583395 into dev Mar 30, 2024
1 check passed

francisli deleted the 39-api-client-can-authenticate-a-user-by-emailpassword branch March 30, 2024 01:16

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Closes #39, Closes #48] API client can authenticate a user by email/password, test db fixtures helper added #65

[Closes #39, Closes #48] API client can authenticate a user by email/password, test db fixtures helper added #65

francisli commented Mar 28, 2024

francisli commented Mar 28, 2024

[Closes #39, Closes #48] API client can authenticate a user by email/password, test db fixtures helper added #65

[Closes #39, Closes #48] API client can authenticate a user by email/password, test db fixtures helper added #65

Conversation

francisli commented Mar 28, 2024

francisli commented Mar 28, 2024