Authentication

For the first iteration of Project Link we chose to implement a very simple authentication system based on passwords and session tokens with support for a single user only.

All the authentication process is managed by Link boxes (FoxBox). The first time a box is used the user is asked to create a password for the admin user, a bcrypt hash of this password is stored locally in a sqlite database inside the box and a session token is given to the client the user is using to access the box. These session tokens are signed JSON Web Tokens (JWT) that include the user id and user email within their payload and can be used for accessing the box HTTP and websocket endpoints that requires authentication. Once the box setup is completed and the admin user is created, the setup endpoint is hidden. Every new client that needs to get a new session token is required to redirect the user to the box url where the user can introduce her credentials and can be redirected back to the client that will obtain the session token if the authentication process succeeded.

UX

A early draft of the redirection based authentication UI can be found here.

A more detailed spec can be found here (slides 19-end).

Code

Most part of the code related to user management and authentication lives on the fxbox/users repository.

Next steps

• Multiple users support
• Token based authentication
• Authorization