I am trailing the Gun/SEA authentication system for a distributed/serverless application. This app is saving session information to local storage when a Gun user is authenticated. One problem I am having is when the page is refreshed or a new tab is opened I want to keep the user authenticated while the session is valid and I would rather not store the user name and password in local storage due to XSS and physical security reasons. Is there a solution to this problem currently? I think sessionStorage could be nicer but it still has some of the same security issues of storing the user name and password somewhere an attacker may be able to get it, and needing the user to log in when a new tab is opened.
Keeping a Gun DB user authenticated during a session
1.7k views Asked by Matt Grant At
1
grant ! Awesome to hear from you, sorry for the delay in reply (I'm not sure who the person commenting was, as it didn't really help your situation).
This is a great question, and you have somewhat already poked at the limits of security and browser tech - honestly, none of them are very good. Let's review:
user.recall({sessionStorage: true})
it will attempt auto log you back in. But you are right, there are some security tradeoffs, but I think this one is reasonable.localStorage
. I've heard a few people complaining different browsers handle sessionStorage poorly (doesn't preserve in new tab, etc.), so the next option would be to use localStorage. However, I do think this is an actual security concern.IndexedDB
. Turns out that WebCrypto API does have an option to import keys and will encrypt them in IndexedDB and retrieve them later without it getting passed to user land - at least, that is what I've heard. However, you still have to deal with initially getting the keys, and IndexedDB support varies, and you'd to write a GUN plugin for it.In the meanwhile, your original suggestion is probably best - to use (1) sessionStorage. It will be/is forward/backward compatible with MetaMask. Mid-term hopefully you or somebody else in the community will get (5) working. And then long-term (6 & 7) will be the solution.
As for now, check out the MetaMask demo: https://twitter.com/marknadal/status/1062153254283276288