💾 Archived View for station.martinrue.com › schrockwell › ce0eb501c0724ed397279d10aa61f9d6 captured on 2023-11-04 at 11:57:39. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-09-28)
-=-=-=-=-=-=-
@martin What piece(s) of information from the client cert do you use to uniquely identify a user? Fingerprint? Entire file contents? Something else? I'm new to this method of authentication and am curious how to implement it for my own apps.
3 months ago
@martin: ah, good point about CSRF! That’s a good to keep in mind. Thanks for mentioning that. · 3 months ago
Yep, Station just takes a hash of the cert attached to the request and stores that as the user's fingerprint. Handlers then use the fingerprint to determine the user's identity on each request. A further challenge is that some requests (non-read requests), such as "delete account", need to be protected from CSRF. To do this, their URLs contain a portion of the hashed fingerprint so they can only be "replayed" by the same user they were created for. In other words, a request containing a CSRF token that is mismatched from the requesting identity is rejected. Hope that helps. · 3 months ago
I've used the fingerprint in my own little experiments. · 3 months ago