Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross domain authentication (using cookies?) #278

Open
Tracked by #253
joepio opened this issue Jan 5, 2023 · 0 comments
Open
Tracked by #253

Cross domain authentication (using cookies?) #278

joepio opened this issue Jan 5, 2023 · 0 comments

Comments

@joepio
Copy link
Member

joepio commented Jan 5, 2023
edited
Loading

Since #241 we have cookie-based authentication. This solved the issue of opening images that require authentication. However, this approach only works for images on the same domain. If you'd visit example.com, where you'd login, and show a private image from atomicdata.dev, you would not be able to see it, because example.com's JS will not be able to set a cookie due to security.

So how do we deal with this?

  • We still want to have cross-domain authentication for automatically downloaded things
  • We can't set custom headers, because images requested automatically by the browser. Only the cookies for that domain are included

Set a cookie server-side

This is the de facto standard way of doing things. Servers control authentication and identies. We could add a /cookie endpoint, which returns a server-signed cookie (JWT) that proves to the server that the user is authenticated.

This approach is feasible, but it also feels like unnecessary complexity. Since the client owns the private key (and not the server), there is no need for the server to sign anything. It just adds another point of failure.

Add a query parameter with some token

Instead of requesting atomicdata.dev/myimage.png, you'd request atomicdata.dev/myimage.png?authResource=asdf. The client adds this token, which encodes an Authentication Resource (i.e. the same content as the cookie)

This means the client will need to add this query param to all image URLs.

Proxy all the images

Instead of requesting atomicdata.dev/myimage.png, we'd request example.com/proxy?url=atomicdata.dev/myimage.png. The proxy could then re-use the Authentication Resource created by the client, and gain access to the image.

This approach has a couple of downsides:

  • The proxy server can now access the image. This is not very privacy friendly.
  • It will be far slower because extra roundtrip, the image will load 2 to 3 times slower.
  • The proxy server will have far more work to do, which makes performance worse for other users.
@joepio joepio mentioned this issue Jan 5, 2023
Open
3 tasks
@joepio joepio changed the title Cross domain requests. I wasn't yet able to set cookies in such a way, that they would be scoped to one domain that is different from the current domain. This means that setting an image on a private drive on atomicdata.dev, and then visiting that image from a different domain, would not actually work at this moment. EDIT: As @rescribet noted below, it is not possible to set a cookie using JS for a domain other than the domain where the script originated. Cross domain requests. Jan 5, 2023
@joepio joepio changed the title Cross domain requests. Cross domain authentication (using cookies?) Jan 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joepio