N
Nuxt2mo ago
lorenzofiamingo

Auth flow secret encryption

I'm implementing a simple password authentication registration, using nuxt-auth-utils and nuxt-hub. I’d like to enforce email verification before completing the actual registration. Here are the steps on the client side: - 1 The user enters their email and requests an OTP. - 2 The user enters the OTP and verifies it. - 3 The user enters a display name. - 4 The user enters a password and registers. To prevent users from tampering with the request and changing the email to another one, I thought it would be a good idea to verify on the server that the email used in step 4 matches the one verified in step 2. Since I’m new to this, I found that a good solution is to generate a UUID token in step 2, bind it to the email (using Cloudflare KV), and verify it in step 4. Does this sound like a good approach? Do you think there’s a better alternative? Anyway, to send this token with the request in step 4, I initially considered setting it as an HTTP-only cookie in step 2: 
setCookie(event, 'otpToken', btoa(token), {
  httpOnly: true, secure: true, sameSite: 'strict', path: '/auth', maxAge: 60 * 5 
})
setCookie(event, 'otpToken', btoa(token), {
  httpOnly: true, secure: true, sameSite: 'strict', path: '/auth', maxAge: 60 * 5 
})
However, I later found out that I can store secrets using nuxt-auth-utils: 
setUserSession(event, {
  secure: {
    otpToken: token
  }
})
setUserSession(event, {
  secure: {
    otpToken: token
  }
})
Which is the better approach? setUserSession encrypts the session, but its max age might be too high. Since I’m struggling with this, I want to ensure this is the best way to achieve the desired functionality and that I’m not introducing any security pitfalls into my flow. Thank you very much!
2 Replies
kapa.ai
kapa.ai2mo ago
Hi @lorenzofiamingo. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave: ---------------------- Based on the information available in the knowledge sources, using nuxt-auth-utils to manage session data is a recommended approach for handling authentication and session management in Nuxt applications. This utility provides a secure way to store session data using sealed cookies, which are encrypted and can be configured with a secret key. In your case, using setUserSession to store the otpToken securely is a good approach. This method encrypts the session data, which adds an extra layer of security compared to using a regular HTTP-only cookie. However, you mentioned concerns about the session's max age being too high. You can configure the session duration according to your needs by setting the appropriate options in your session management setup. Here's a brief overview of how you can use setUserSession: 
setUserSession(event, {
  secure: {
    otpToken: token
  }
})
setUserSession(event, {
  secure: {
    otpToken: token
  }
})
This method ensures that the otpToken is securely stored and can be retrieved later for verification purposes. It also helps prevent tampering, as the session data is encrypted. For more detailed guidance on setting up sessions and authentication in Nuxt, you can refer to the Nuxt documentation on sessions and authentication. If you need to adjust the session duration or other settings, you can configure these options in your session management setup. This flexibility allows you to tailor the session behavior to your specific requirements. In summary, using nuxt-auth-utils for session management is a secure and efficient approach, and it should meet your needs for handling OTP verification and email validation in your authentication flow. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ----------------------
kapa.ai
kapa.ai2mo ago
<@781217973053423616> Kapa.ai is still learning and improving, please let me know how I did by reacting below.

Did you find this page helpful?