You are viewing a single comment's thread from:
RE: All functionality of the SteemMakers website has been ported
Thank you for your contribution. It's good to see that Security is your first priority, however, when someone says "Remember Me" are you storing the key of that person in the database?
Your contribution has been evaluated according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.
To view those questions and the relevant answers related to your post, click here.
Need help? Write a ticket on https://support.utopian.io/.
Chat with us on Discord.
[utopian-moderator]
No, not at all, we don't store any keys. I tried to explain but apparently failed, let me give it another try.
The 'key' or rather SteemConnect token is stored in a cookie on the user's device. When the app loads it checks for the cookie and if present logs on the app automatically. Our server is not aware of this at all, everything is handled client side in the app. The app will then communicate with the server and request profile info, for example to check if the user is a reviewer and has access to certain features. This is done through a public API. The app itself checks the identity of the user directly to SteemConnect. This gives the user his experience.
This is only half of the story because it could be tampered with. A malicious user could pretend to be someone else and get access to the privileged parts of the application, for example article submission. This is not a problem however because upon submission the server does an identity check. When the public submission API is called the server expects a username in the request and a SteemConnect token in the http header of the request. The server only holds a list of usernames of the reviewers, no tokens, but... When the API is called the server itself checks if the username and token in the request match by verifying these with SteemConnect, it doesn't store them, it just uses them to verify. The server now knows that the username belongs to someone having the token and that can only be the real user.
A malicious user could access the restricted page in the app but would never be able to call the API with the correct token.
Does that make sense?