Create authentication for frontend

[jendakol]

Using HTTPS is sure thing but we have to prevent unauthorized people from using the FE.

[nxtwrld]

Here are couple of options.

1. htaccess the whole application and its endpoint. Good enough for a week or two
2. create username/password login with session cookie - registration is probably not yet needed.
3. integrate with Google SSO

[jendakol]

We will run on Azure env and I've been told it's not that easy to set basic auth there, so the authentication should be solved by the app itself. So I guess the middle option is quite fine for now - login screen, hardcoded credentials (for MVP).

[Foxlik]

For MVP you can do Basic auth static:

if header['Authorization'] == 'Basic dGVzdHVzZXI6dmVyeW11Y2h0ZXN0aW5n': 
    return true

(login testuser password verymuchtesting)

[nxtwrld]

for 2.
There will be an endpoint, where I will post username and sha-256 of a password. The endpoint will authenticate it and set a cookie that will authenticate every request

[bodik]

for 2.
There will be an endpoint, where I will post username and sha-256 of a password. The endpoint will authenticate it and set a cookie that will authenticate every request

why sha/digest of the password is sent to the server ? doesn't it mean that it actually makes the digest to be a plain-text password effectively, hence the protocol would be susceptible to pass-the-hash attack (eg. plaintext is stored on the server and can be directly used after leak without any processing/cracking) ?

[jendakol]

Let's go with basic auth in MVP, ok?
We'll implement it on the backend.

[jendakol]

@Kobzol Please take this over.

[Kobzol]

Basic auth is there, so with HTTPS we can just create credentials and send them to (backend) users.