User accounts and authentication

Question

User accounts and authentication

vr2262 opened this issue 10 years ago · 8 comments

There are some dummy functions in https://github.com/SEL-Columbia/dokomoforms/blob/2b3297945adab81c30e4fd1c496df3b8c6ca43b1/db/auth_user.py at the moment for this.

Answer 1 · 2014-10-22T16:03:46.000Z

Probably too early to talk about authentication and user accounts since we should start on the visualization layer first, but if we're going to store passwords, we should both hash and salt them:

https://crackstation.net/hashing-security.htm

OTOH, we could forego passwords altogether, and use email handshaking, as Mozilla is experimenting with:

https://blog.webmaker.org/one-less-password

Answer 2 · 2014-10-22T20:38:28.000Z

The py-bcrypt module works well for password hashing.

I'm fine with email only authentication as it does remove a bit of complexity.

Answer 3 · 2014-11-25T21:08:39.000Z

So we need to worry about securing our API...

Short of figuring out SSL (and certs...), I think an OAuth approach as mentioned on this site should work:

http://blog.miguelgrinberg.com/post/restful-authentication-with-flask

Answer 4 · 2014-12-01T14:44:00.000Z

After deliberating (after eating 🍗), I'm not exactly sure why we have an API in the first place. Who's going to use it? What are the use cases?

If we are going to expose an API, I think API tokens are the way to go. Easy to implement, easy to use.

Here's an example application using tokens (with duration):

https://github.com/miguelgrinberg/REST-auth

Answer 5 · 2014-12-01T19:07:57.000Z

FWIW, here is why the original FH (hereafter referred to as Formhub Classic Formula) had an api:

Behind the scenes, Map Your World will be powered by formhuband ODK Collect. To do this, we are working to provide the MYW team with formhub API’s that will allow them to build the MYW on top of the formhub as a service. This will allow them to focus on creating powerful vizualizations while formhub will handle all the form submissions, user permissions and data storage. We think this a model that will make sense for a lot of organizations who want to leverage the power of mobile data collection but create an experience more adapted for their project needs. If you interested in doing the same and want early access to our API’s please let us know.

Answer 6 · 2014-12-02T15:49:31.000Z

For reference purposes: https://github.com/interagent/http-api-design

Answer 7 · 2014-12-15T19:02:34.000Z

@Snkz and I discussed this issue with @chrisnatali and mulled over creating an SEL-wide user authentication scheme. Afterward, Abdi and I took a look at Mozilla Persona and decided it should meet all of our needs:

We offload the "heavy lifting" of user authentication to Persona.
Once a user has an e-mail address associated with Persona, it is valid across all services that use Persona.
We trust Mozilla (as they provide a Persona server), but down the line we can run our own Persona server if we want.

A potential downside of Persona is that it requires JavaScript. However for Dokomo, at least, JavaScript is already required.

Take a look at the quick setup guide here: https://developer.mozilla.org/en-US/Persona/Quick_Setup

Answer 8 · 2015-01-13T14:54:29.000Z

We went with Persona.