6

We are running a web application (shiny-server, where coding is done in R) and want to add an authentication layer to it. Rather than building something to do this in R, I thought of using meteor to create auth tokens and all that. This is the way i was thinking of doing it:

  • A user logs in with meteor and meteor creates a database entry that looks something like this:
    { "createdAt" : 1372521823708,
      "_id" : "HSdbPBuYy5wW6FBPL",
      "services" : { "password" : { "srp" : { "identity" : "vKpxEzXboBaQsWYyJ",
            "salt" : "KRt5HrziG6RDnWN8o",
            "verifier" : "8d4b6a5edd21ce710bd08c6affb6fec29a664fbf1f42823d5cb8cbd272cb9b2b3d5faa681948bc955353890f645b940ecdcc9376e88bc3dae77042d14901b5d22abd00d37a2022c32d925bbf839f65e4eb3a006354b918d5c8eadd2216cc2dbe0ce12e0ad90a383636a1327a91db72cf96cd4e672f68544eaea9591f6ed102e1" } },
        "resume" : { "loginTokens" : [ 
            { "token" : "t9Dxkp4ANsYKuAQav",
              "when" : 1372521823708 } ] } },
      "emails" : [ 
        { "address" : "example@example.com",
          "verified" : false } ] }
  • The user is redirected to the "old application". Here we check local storage (should be the same local storage as meteor if we use the same outward facing host and port, correct?) and find this information:
    Meteor.loginToken: t9Dxkp4ANsYKuAQav
    Meteor.userId: HSdbPBuYy5wW6FBPL
  • The local storage data is investigated by "the other application" and it does a simple database query against the meteor db to verify that the local storage information matches what is in the database. Perhaps also check some kind of expiration date. If this matches, the application renders, otherwise it doesn't.

Is this a decently safe way to do it? Will it work to share local storage between the applications?

John Paul
  • 12,196
  • 6
  • 55
  • 75
oskbor
  • 1,592
  • 18
  • 35
  • 2
    That seems like a reasonable approach, but you'll need to watch out for domain and path restrictions on your cookies: http://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_Path. – Jeff Allen Jul 07 '13 at 14:47
  • This is exactly how I've approached this when working with Meteor and browser extensions. – PETER BROWN Jan 11 '15 at 15:20
  • Of possible relevance to this question would be me shinyStore package which allows you to use (optionally encrypted) local storage from Shiny: https://github.com/trestletech/shinyStore – Jeff Allen Jan 14 '15 at 05:39

1 Answers1

0

Of course you'll have to make sure that your WebSockets are running over TLS. LocalStorage uses a simple Same-origin Policy. So yes it will work. LocalStorage is as secure as a cookie so that's ok.

TLDR:

Yes and Yes

halbgut
  • 2,368
  • 17
  • 22