5

I am trailing the Gun/SEA authentication system for a distributed/serverless application. This app is saving session information to local storage when a Gun user is authenticated. One problem I am having is when the page is refreshed or a new tab is opened I want to keep the user authenticated while the session is valid and I would rather not store the user name and password in local storage due to XSS and physical security reasons. Is there a solution to this problem currently? I think sessionStorage could be nicer but it still has some of the same security issues of storing the user name and password somewhere an attacker may be able to get it, and needing the user to log in when a new tab is opened.

Matt Grant
  • 51
  • 4
  • welcome to SO! Please add more details to your question (e.g. code snippets) and show exactly what you already tried. – Omri374 Dec 02 '18 at 08:55
  • `var gun = Gun(); var user = gun.User(); user.auth(userName, password, (ack) => { //setup session info here if logged in successfully });` This is what I am trying to do. I have a global reference to the user so I can navigate around the application but if I refresh the page or open a new tab then the user reference is lost. If I want to access the user data in gun I have to create a new user object and call auth with the same user name and password. This means I basically have to store the user name and password locally while the session is valid. It's not ideal. – Matt Grant Dec 04 '18 at 09:44
  • The session part is currently just some session expiry information put into local storage. – Matt Grant Dec 04 '18 at 09:48
  • remember to add your user.ts or whatever file you name for user auth these two `import 'gun/sea'; import 'gun/axe';` – Bitfinicon Jul 23 '22 at 14:26

1 Answers1

4

grant ! Awesome to hear from you, sorry for the delay in reply (I'm not sure who the person commenting was, as it didn't really help your situation).

This is a great question, and you have somewhat already poked at the limits of security and browser tech - honestly, none of them are very good. Let's review:

  1. if you add user.recall({sessionStorage: true}) it will attempt auto log you back in. But you are right, there are some security tradeoffs, but I think this one is reasonable.
  2. localStorage. I've heard a few people complaining different browsers handle sessionStorage poorly (doesn't preserve in new tab, etc.), so the next option would be to use localStorage. However, I do think this is an actual security concern.
  3. SPA. Single Page App - this will already be useful if you are trying to distributed standalone packaged 'dApps'. But you are right, you still have the refresh problem. In my own experience, (1) worked well enough to make this a good user experience.
  4. PIN. Another idea our community threw around was using (1 ~ 3) but combining it with a device PIN code. This means you could store it in localStorage with reasonable security assumptions, and on refresh/resume users type in their PIN to decrypt their session.
  5. IndexedDB. Turns out that WebCrypto API does have an option to import keys and will encrypt them in IndexedDB and retrieve them later without it getting passed to user land - at least, that is what I've heard. However, you still have to deal with initially getting the keys, and IndexedDB support varies, and you'd to write a GUN plugin for it.
  6. Browser extension. I like this least of all, since it requires a user to install something, but due to browsers not providing some native functionality equivalent to this that is secure, we have to intervene. The good news is that there is a GUN + MetaMask integration happening, and MetaMask already has 1M+ installs, so there may be a chance your users already have it.
  7. Browser API. We will be working with the MetaMask team and others to get a native API for this as a standard. My hope is Brave will follow MetaMask's lead, and FireFox will follow Brave, and Chrome last.

In the meanwhile, your original suggestion is probably best - to use (1) sessionStorage. It will be/is forward/backward compatible with MetaMask. Mid-term hopefully you or somebody else in the community will get (5) working. And then long-term (6 & 7) will be the solution.

As for now, check out the MetaMask demo: https://twitter.com/marknadal/status/1062153254283276288

Edit: MetaMask still working on their API for this, in the meanwhile, you can use our http://party.lol extension.

marknadal
  • 7,534
  • 4
  • 25
  • 22