From 8036c6a54ab982d16f6fa53b679b8e02c1052a15 Mon Sep 17 00:00:00 2001 From: Tim Wundenberg Date: Mon, 12 Aug 2024 19:14:03 +0200 Subject: [PATCH] #73 take decision on authentication --- Readme.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Readme.md b/Readme.md index 3706298..2d9d0b8 100644 --- a/Readme.md +++ b/Readme.md @@ -5,7 +5,7 @@ Your (almost) independent tech stack to host on a VPC. ## Features -stackFAST includes everything you need to build your App. Focus yourself on developing your idea, instead of "wasting" time on things like setting up auth and observability. This blueprint tries to include as much as possible, but not everything is viable. For example an slef hosted Mail server is just too much hastle. +stackFAST includes everything you need to build your App. Focus yourself on developing your idea, instead of "wasting" time on things like setting up auth and observability. This blueprint tries to include as much as possible, but still keep it simple. The blueprint contains the following features: - Authentication: Users can login, logout, register and reset their password. For increased security TOTP is available aswell. @@ -19,19 +19,19 @@ The blueprint contains the following features: ### Authentication -Authentication is a broad topic. Many people think you should not consider implementing authentication yourself. On the other hand, experts at OWASP don't recommend this in their cheat sheet on that topic. I'm going to explain my criterions and afterwards explain the decision. +Authentication is a broad topic. Many people think you should not consider implementing authentication yourself. On the other hand, experts at OWASP don't recommend this in their cheat sheet on that topic. I'm going to explain my criterions and afterwards take a decision. There are a few restrictions I would like to contain: -- I want this blueprint do as much as I can myself in order to not rely on external services. This way the things needs to be done on other website are very minimal. Furthermore I would like to take back control and privacy from BigTech. +- I want this blueprint do as much as as possible without relying on external services. This way the things needs to be done on other website are very minimal. Furthermore I would like to take back privacy from BigTech. - I think most cloud services are overpriced. I want to provide an alternative approach with self holsting. But I don't like the idea to spin up 30 services for a small app with 0 users. It should still be possible to run on a small VPC (2vcpu, 2GB). -- It should be secure (No shit sherlock) +- It should be as secure as possible As of 2024 there are 4 options: - Implement the authentication myself: If I'm holding thight to the cheat sheet, I "should" be able to doge "most" security risks and attacks according to this topic. Unfortanatly I'm not an expert in this field and will do some errors. If people will buy this blueprint, I probably can't sleep well. Especially if real users start using it. At least this has the advantage of not adding adittional services or configuration to the project. -- Using OAuth2 with Google and Apple: Using OAuth2 is the standard for secure applications. Google and Apple has their experts. They deal with attacks every hour of the day. This has the advantage, that users don't have to create new credentials. +- Using OAuth2 with Google and Apple: Using OAuth2 is the standard for secure applications. Google and Apple has their experts. They deal with attacks every hour of the day. This has the advantage, that users don't have to create new credentials. The only disatvantage is my personal hate on big tech. - Using OAuth2 with Keycloak: Same as above, just that the OAuth2 endpoint is another self hosted service. The only advantage is, it's not proprietary and self hosted. But users are not used to get redirected to a key cloak on sign up. They are used to sign in with Google though. Furthermore Google et. al are protecting themselves against credential stuffing attacks etc. - Firebase, Clerk, etc.: Users have to sign up again AND blueprint users have to setup another project. -Even though I would really implement authentication myself, I think OAuth2 with external providers is the best bet. Especially because my reasoning is privacy, which most people just don't care about enough. +Even though I would really implement authentication myself, I think OAuth2 with external providers is the best bet. Especially because my reasoning is privacy, which most people just don't care about enough. Using this approach, adding in a keycloak is possible without breaking changes at a later point, as long as I keep the Google Sign In.