-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generic authentication/authorization components #2126
Comments
+1 some questions/comments
I'm not a security expert but aren't
There is no such thing in node (it is single threaded by design). Would be good if we can make it work for you by just providing a generic hook, rather than managing state. |
HttpOnly flag solves a bit different problem. The issue is in cookies nature. They are sent with each request automatically.
and send it to a victim. Victim's browser will send all cookies it have, including HttpOnly to http://netbank.com/transfer.do.
I can rephrase it to such statement: we should be able to have a way to identify a user who made initial and all subsequent request. |
You can start by looking into the express middleware. There is support for CSRF protection: https://github.com/expressjs/csurf. An extension can configure the middleware via |
Small status update. I would like to ask to keep this issue open until we finalize our POC. I hope it will be soon. |
We completed our POC. We also use cookies to implement authentication. The single cons of this solution are that Theia should not use (afaik it's not using for now) POST method with |
The goal of this issues is to clarify/implements parts of Theia that can be reused by vendors if they want to make Theia multi-user.
These components should not depend (or at least it should be possible to bind different implementation) on concrete authentification way or identity management system.
The text was updated successfully, but these errors were encountered: