Authentication

[sirkitree]

Currently I'm hardcoding this in the local config.js, but I think in Neos we'd want it to be passed in from Neos into a publicly running instance. This would make sure that no one needs to download this repository and run it locally, or put it up on a server themselves with their key. That also means passing along the token from GitHub from Neos.

How can we do this securely?

[sirkitree]

@mralext20 has done some preliminary work around authentication here: https://github.com/mralext20/kanban#auth0-server-setup

I'm not sure how much of that is useful for this project's purpose, but worth looking over.

[Anomalous]

I'm not too familiar with doing things securely in Neos, but I have read that storing data securely is very difficult, especially if it's in a not-locked-down world.

Is there any way to verify a request as coming from a specific Neos user? I'm wondering if users can send their access credentials to the middleware in a secure context, the middleware stores the credentials associated with that particular user, and they can later be used from a non-secure world. But if there's no way to even verify which Neos user a request is coming from, that wouldn't work.

[mralext20]

Neos-Metaverse/NeosPublic#785 has mention of ways to do account assurance, however these are not implemented.