@martin What piece(s) of information from the client cert do you use to uniquely identify a user? Fingerprint? Entire file contents? Something else? I'm new to this method of authentication and am curious how to implement it for my own apps.
1 year ago
@martin: ah, good point about CSRF! That’s a good to keep in mind. Thanks for mentioning that. · 1 year ago
Yep, Station just takes a hash of the cert attached to the request and stores that as the user's fingerprint. Handlers then use the fingerprint to determine the user's identity on each request. A further challenge is that some requests (non-read requests), such as "delete account", need to be protected from CSRF. To do this, their URLs contain a portion of the hashed fingerprint so they can only be "replayed" by the same user they were created for. In other words, a request containing a CSRF token that is mismatched from the requesting identity is rejected. Hope that helps. · 1 year ago
I've used the fingerprint in my own little experiments. · 1 year ago