-
Notifications
You must be signed in to change notification settings - Fork 0
Authentication
The only way to prevent individuals other than the repository owner the right of adding a repositories to DotDocs would be through authenticating them through Github.
- A user attempts to submit a repository to DotDocs to be added to the documentation web
- DotDocs queries the repository to determine who owns it
- We need to authenticate...
If we have the owner account email, we could send them a code and have them enter it. I prefer this email approach over logging in as it is much simpler for now.
Once the user enters the correct code, a JWT is created with a payload of the user id which is given back to the client for authentication of subsequent request.
JWT expiration will be 1 hour from creation. (time of authentication)
Users get 5 attempts to enter the correct code before it is invalidated and can try again in 1 minute.
Ideally, we will have a server just for authentication running MySQL 8.0. We can have a table for Users which will basically hold an numeric auto-incremented id and their email. This User table can then be referenced by another table named something like Session which will have a foreign key to the user, an apikey value, and a creation timestamp.
Auth Steps:
- Query this to acquire login (aka account name) and user id