Closed 3 years ago
Tag : authentication
What are the best practices to extend Authorization to the Model layer if in a monolith MVC application (i.e rails) you have other entry-points than just the Controller? I.e background jobs, or the model intera..
I work for a publishing company that also provides content distribution to their users. In order to access a piece of content the user must be entitled to do so. Traditionally this authorization check has been done with several different ways (most of them legacy, unsecure and, tbh, very ugly). We do support username and password authentication but this is by far the less common way used for gaining access to content. For the sake of this post let’s assume that the only alternative is for a user to reach our product from a company’s internal portal – we call this “Referral acc..
A good auth system contains access and refresh tokens. I know what access-tokens are for and I know what refresh tokens DO – but I don’t understand their meaning.
For example:
If I authenticate myself successfully to an API, then I get an access token and a refresh token. If a bad guy steals my access code, he can access the API maybe the next 5 minutes or so. But if he steals my refresh token which maybe expires in 6 months he can give himself every time a new access-token and so he can stay longer in the system.
So what are the advantages of refresh tokens – I don’t see..
How does phone number based authentication work, and what are its best prac..