Identity framework yay or nay?
I am building a local password manger (for a local server). It's meant to be used by 1 user so one account. It should only have a master password.
Does it make sense to use identity framework for that?
22 Replies
No
Identity would be a pretty big overkill if you explicitly just want a single user, and no roles, claims etc
I don't mind going overkill if its overkill in terms of security
but if it doesn't provide more security then it is pointless
:franksinatra: speaking of security where do I keep my master password?
you dont :thinker:
:catthinking:
like it will be hashed and salted and stuff
it would be overkill in terms of features and complexity
i mean, you can use it but you'd only be using a tiny piece of it
:misty:
Just a master password is easier
probably
you can implement the exact same amount of security that identity does (PBKDF2-HMAC-SHA256 iirc) separately
i actually already extracted the password hashing/verification, lemme find it
:peepoNoted:
Sounds interesting
I hope it's not too complicated to implement
Damn one class
that's the bare minimum to hash and verify passwords the same way identity does
Cool
it might depend on some asp.net core library
Random and stuff yep
Well thank you
I'll work on it tomorrow
Ill also need to use it as like authentication
To block the access to the api if you're not logged in
:misty:
You can very easily apply a middleware or your own actionfilter much like
[Authorize]
that handles itAuthorise is library?
Or
A tag for the end point
its an attribute you can stick on endpoints or controllers
Like [required]
And how do I configure what authorize checks for?
It uses the built in authorization system that identity also uses. You could make your own authenticationschema that would work with it, but it might be simpler to just make up your own thing
This is kinda what I meant with that identity is overkill here, you are trying to force a much more complicated system to do what is actually very simple
Well if I didn't use the identity
How do I lock my endpoints behind a master password?
🤔I'll figure it out
create a login endpoint
if the user gives the correct password, set a cookie
look for that cookie in protected endpoints
you can extract that behaviour to a middleware or actionfilter and it would behave much like
[Authorize]
Cool
:blobthumbsup: thanks for the help