You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I want to implement Lucia as an authentication method with only username and telegram_id. Both username and telegram_id are potentially known properties for anyone. However, it seems very convenient to utilize them within a Telegram mini-app as an authentication method since the user is already authenticated by the Telegram app. Cookies are very effective for maintaining authentication sessions.
Some Details:
In the Telegram mini-app, I plan to utilize a verification hash to ensure that the web app is running within Telegram. This measure aims to protect against certain security vulnerabilities.
Implementation
Dev kit is Lucia and drizzle, when user is open telegram mini app, which is potentionally an url with website, bot send as params telegram_id, username and temporary_hash. Then in background i authentificate it via lucia using only telegram_id and user get access for their data.
Concerns:
I'm curious about the potential security vulnerabilities associated with this authentication method. Are there any significant risks or considerations I should be aware of?
Alternative Approach:
Alternatively, should I always generate a password for every user in my database? Would this be a more secure approach compared to using username and telegram_id for authentication?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Overview:
I want to implement Lucia as an authentication method with only
usernameandtelegram_id. Bothusernameandtelegram_idare potentially known properties for anyone. However, it seems very convenient to utilize them within a Telegram mini-app as an authentication method since the user is already authenticated by the Telegram app. Cookies are very effective for maintaining authentication sessions.Some Details:
In the Telegram mini-app, I plan to utilize a verification hash to ensure that the web app is running within Telegram. This measure aims to protect against certain security vulnerabilities.
Implementation
Dev kit is Lucia and drizzle, when user is open telegram mini app, which is potentionally an url with website, bot send as params
telegram_id,usernameandtemporary_hash. Then in background i authentificate it via lucia using onlytelegram_idand user get access for their data.Concerns:
I'm curious about the potential security vulnerabilities associated with this authentication method. Are there any significant risks or considerations I should be aware of?
Alternative Approach:
Alternatively, should I always generate a password for every user in my database? Would this be a more secure approach compared to using username and telegram_id for authentication?
Beta Was this translation helpful? Give feedback.
All reactions