Replies: 1 comment 1 reply
-
Not sure if having standard authentication code sent to the client is unsafe or a bad practice. (The default JWT secret is obviously unsafe and only there for the tutorial to work without environment variables set up.) A traditional express route is an option, but there are ways to get both the type-safety of a @BackendMethod call and an implementation that isn't shared with the client. I think it's better to keep the tutorial authentication in its current simple form, and add a some text pointing out the fact that this code is sent to clients and explaining the alternatives in case the reader isn't comfortable with that. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hey all,
I was thinking about the authentication flow in the tutorial and it occurred to me that having the
AuthController.ts
file in the shared file seems insecure. Doesn't shared code get sent to the client? And yes, it turns out it does. I can see, in my browser, the default JWT secret:That's maybe fine as long as the environment variable is utilized, but seems not great practice to me. Even if we removed the "my secret" default, it's probably not great practice to leak the process used to authenticate.
As an alternative, we can use a traditional express route that is server side only.
Thoughts?
Beta Was this translation helpful? Give feedback.
All reactions