Authentication consideration #53
Comments
|
Thanks a lot! JWT is totally possible, but would have to rely on custom implementation on your side — currently you can't prevent daemons from connecting to one another as long as they discover each other. |
|
ok thanks. Any advice to do this custom implementation? |
|
@FPierre I think you'll find it's really simple after you learn the API for the jsonwebtoken package. This is what we use for all of the Feathers authentication suite. |
|
Security seems to be something missing from Cote? The use of broadcast and multicast even on closed networks without TLS and authentication/authorisation is really dangerous in production environments. It would be a really good idea to give this some focus. |
|
I personally believe you can't solve security by throwing concepts at it. It is a conscious decision where and how you want to implement it, taking into consideration a lot of variables. I would love to hear the scenario where "the use of broadcast and multicast on closed networks without TLS & co is really dangerous in production". Specifically, what kind of production environment is that, and how would TLS prevent a leak, as cote should be used for internal communication and securing external endpoints is out of our scope. Having said that, in fact, cote could be extended to include TLS support — if somebody would be up for the challenge, I can offer help. Additionally, cote can already be configured (although in an obscure and hacky way at the moment) to include symmetric encryption of messages. Then there's the issue of authentication and authorization. Both of these are out of cote's scope, as there are literally hundreds of ways to do these things. But, obviously, in every app that I do with cote, I implement a proprietary layer on top of cote for authentication and authorization. I believe the best way to support these features is via plugins or middleware, and it's currently in my immediate focus. |
|
In enterprise networks it is very common to have networks that are extensive with loads of different users and services attached. While good network design, network isolation architectures and intermediary firewalls can help mitigate security issues, large organisations cannot be sure that attackers haven't managed to get a foothold onto the network. Therefore it is imperative that any personal/sensitive data - including authentication and authorisation - is encrypted on the wire. This is good enterprise security practice and if more widespread would certainly reduce many of the data leaks we see today by helping prevent attackers from penetrating further into restricted networks. This is not a case of "throwing concepts" at all! This is a case of security needing defence in depth. As a security expert, this is a constant battle I have with system designers and developers who's focus may be on ease of development and deployment rather on the wider risk management. There is no single "fix" for security but using security standards throughout certainly helps. If you are not prepared to support security within this product, it would at least be helpful to tell people so and advise them of security best practice or at least steer them to places where they can learn. But the real point here is what you are claiming for Cote. You are claiming that this is a "batteries included" solution and currently this is a most dangerous claim since security is virtually absent. You have even set up an e-commerce "case study" that also doesn't seem to include any real security - given the ongoing litany of security disasters we are seeing week-in and week-out from all manner of organisations, this would seem to be very much less than helpful to the community. This is a real shame as otherwise, this seems like an excellent tool. |
Hello,
I want to use JWT between microservices (so between
Requester<=>Responder, andPublisher<=>Subscriber). It is possible? Or something else to authenticate call?Awesome project by the way: easy to understand and to use :)
The text was updated successfully, but these errors were encountered: