Concepts

Authentication 和 authorization 经常被实现在同套 authentication system 中。

• Authentication 指认证，通常是用户用帐号名密码登录的过程
• Authorization 指授权，表示用户有无权限执行某操作，访问某资源等

Note

我对 authorization 了解甚少。目前看 authentication 跟 authorization 的关联可能不大。后面考虑把这两块内容拆分。

Tasks

• Register:
  • Username and email validation
  • Password strength requirement
  • Email / username normalization
  • Password hashing
• Reset password:
  • Password of the user should be unusable
• Login:
  • Throutte for login attempt
• Change / reset password:
  • Invalidate existing sessions
  • New password should not be the same as the old
• No request after a specific time (etc. 1 day)
  • Invalidate session
• Believed that passwords of some user has been revealed / accounts stolen
  • Batch reset passwords
• CAPTCHA
• Authentication system implementation in Single-page Application
  • https://jcbaey.com/authentication-in-spa-reactjs-and-vuejs-the-right-way

Resources (and to-reads)

• Everything you ever wanted to know about building a secure password reset feature
• Secure Account Management Fundamentals
• Solving Identity Management in Modern Applications: Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0：这本书看起来比较专业