05. Login/01. Login (🏁 solution)

Login

πŸ‘¨β€πŸ’Ό Stellar! Now we can really be sure the user is who they say they are when they log in. Next, let's add some utilities that will make it much easier to access the user's information throughout our UI from anywhere in the app.

Timing Attacks

πŸ¦‰ I want to take a moment to talk about timing attacks. We're currently vulnerable to these though it doesn't matter to us. A timing attack is essentially a way to figure out a secret by measuring how long it takes to perform an operation. In our case, we're vulnerable because we're using bcrypt.compare to compare the user's password to the hash in the database. But before we do that, we're checking to see if the user exists. If the user doesn't exist, we return early.
So an adversary could determine if a user exists by measuring how long it takes to get a response from the server. If the user doesn't exist, the response will be faster than if the user does exist.
In our application, the users are public knowledge so it doesn't matter if an adversary can figure out if a user exists or not. Additionally, we require the username to be unique so an adversary could simply sign up for an account to figure out if a user exists or not.
But, imagine a scenario where an adversary is trying to determine if a user with a specific email has an account at a certain bank. That would probably be a bad thing, so it would be a good idea for that bank to hide the fact that a user exists or not. They could do this by always returning a response, even if the user doesn't exist and ensuring that response takes a random amount of time regardless of whether the user exists or not.

Kellie's work

πŸ§β€β™‚οΈ I'm going to make a few changes for you to help you focus on your task, specifically, I'm going to:
  1. add a (non-functional) logout button to the user's page if they're looking at their own profile.
  2. Only display the note delete and edit buttons if the user is the owner of the note.
  3. Only display an "add note" link if the user's looking at their own notes.
None of these will be wired up (that's your job), but they'll help you see what you're working towards. And it's important to note that just because we don't display the UI for something, it doesn't mean the user can't do that with sophisticated tools so we'll definitely want to add some logic on the backend too. We'll get to that later though.
As always, if you want to, you can review my work.
← PreviousNext β†’
Edit on GitHub
problemsolutiondiffchat

Please set the playground first

Loading "Login"
Loading "Login"
Login to get access to the exclusive discord channel.
  • general
    Welcome to EpicWeb.dev! Say Hello πŸ‘‹
    Kent C. Dodds β—† πŸš€πŸ†πŸŒŒ:
    This is the first post of many hopefully!
    • 18
     86 Β· 2 years ago
  • general
    Modals / Dialogs
    Lucas Wargha πŸš€ 🌌:
    It seems like modals and dialogs are becoming a hot topic on my team lately. I haven’t found a solid...
    3 Β· 2 months ago
  • general
    epic stack website initial load at home page is unstyled (sometimes)
    osmancakir πŸš€ 🌌:
    Sometimes (especially when it is loaded first time on a new browser etc.) I see this unstyled versio...
    • βœ…1
     10 Β· 5 months ago
  • πŸ”auth
    Fetching verification from DB in the Verification section of Authentication module
    Real πŸš€ πŸ†:
    ```const verification = await prisma.verification.findUnique({ where: { target_t...
    • βœ…1
     5 Β· 2 months ago
  • general
    Resource / Api endpoints on epic stack / RR7
    Lucas Wargha πŸš€ 🌌:
    Hi everyone! Quick question for those using the Epic Stack: How are you handling resource routes ...
    • βœ…1
     2 Β· 3 months ago
  • general
    Epic stack using tanstack form
    Lucas Wargha πŸš€ 🌌:
    https://github.com/epicweb-dev/epic-stack/compare/epicweb-dev:main...wargha:feature/tanstack-form-ex...
    • βœ…1
     3 Β· 4 months ago
  • general
    Init command outdated on the EpicWeb website
    Virgile πŸ† 🌌:
    Hi everyone. I've initialized a new epic-stack project yesterday. Following instructions from http...
    • βœ…1
     3 Β· 4 months ago
  • πŸ”auth
    Roles seed
    Baghira 🌌:
    I haven't understood why we do the manual migration in for patch the permissions and roles into the ...
    • βœ…1
     2 Β· 4 months ago
  • general
    Mark as complete, resets the first time you click it.
    Daniel V.C πŸš€ 🌌:
    Not sure if anyone else has had this issue, as i've not seen anyone else talk about it, but I find ...
    • βœ…1
     8 Β· 4 months ago
  • πŸ’Ύdata
    general
    πŸ“forms
    πŸ”­foundations
    double underscore?
    trendaaang 🌌:
    What with the `__note-editor.tsx`? I don't see that in the Remix docs and I don't remember Kent talk...
    • βœ…1
     2 Β· a year ago
  • general
    Keeping Epic Stack Projects Free on Fly – Any Tips?
    Lucas Wargha πŸš€ 🌌:
    I’ve been experimenting with the Epic Stack and deploying some dummy projects on Fly. I noticed that...
    • βœ…1
     0 Β· 5 months ago
  • πŸ’Ύdata
    general
    πŸ“forms
    πŸ”­foundations
    Creating Notes
    Scott 🌌 πŸ†:
    Does anybody know in what workshop we create notes? I would like to see the routing structure. So fa...
    • βœ…1
     2 Β· 7 months ago
  • πŸ”­foundations
    πŸ’Ύdata
    general
    πŸ“forms
    πŸ”auth
    Thank you for the inspiration
    Binalfew πŸš€ 🌌:
    <@105755735731781632> I wanted to thank you for the incredible knowledge I gained from your Epic Web...
    • ❀️1
     1 Β· 7 months ago
  • general
    npm install everytime I setup a new playground
    Duki 🌌:
    Is it normal that I have to run `npm install` in my playground directory, everytime I setup the play...
    • βœ…1
     2 Β· 9 months ago
  • πŸ”auth
    The latest web-auth workshop cannot be launch
    QzCurious 🌌 πŸš€:
    I've done: 1. Remove web-auth directory 2. Follow https://github.com/epicweb-dev/web-auth?tab=readme...
    • βœ…1
     7 Β· 10 months ago
  • general
    Migration to Vite: Server-only module referenced by client
    Fabian 🌌:
    Hi, I'm working on migrating to Vite following the remix docs (https://remix.run/docs/en/main/guides...
    • βœ…1
     1 Β· a year ago
  • πŸ”auth
    Github token added on refactor of connection model exercise
    abraham_aguilera 🌌:
    Where does the newly created `GITHUB_TOKEN` come from in the `resolveConnectionData` introduced in t...
    • βœ…1
     2 Β· a year ago
  • πŸ”auth
    Potential Security Concern with Empty Session Data in createCookieSessionStorage?
    QzCurious 🌌 πŸš€:
    Since session data can be an empty object, it seems possible that someone could guess when encrypted...
    • βœ…1
     6 Β· 10 months ago
  • general
    Remix Vite Plugin
    Binalfew πŸš€ 🌌:
    <@105755735731781632> Now that remix officially supports vite (though not stable) what does it mean...
    • βœ…1
     3 Β· 2 years ago
  • general
    πŸ”­foundations
    Solutions video on localhost:5639 ?
    quang πŸš€ 🌌:
    Hi, so I'm having a hard time navigating (hopefully will be better with time) The nav on epicweb.de...
    • βœ…1
     9 Β· 2 years ago
  • πŸ”auth
    Where are we getting target_type from?
    Salym πŸš€ πŸ† 🌌:
    I don't see target_type in ur verification schema, how are we generating this?
    • βœ…1
     9 Β· a year ago
  • πŸ”auth
    Unknown file extension ".png" for ".../user.png"
    TraderDave79 🌌:
    I'm going through the `web-auth` module and in the "Require Authenticated" exercise, after making th...
    • βœ…1
     9 Β· a year ago
  • πŸ”auth
    github.com refuses to connect in workshop app
    TraderDave79 🌌:
    Web Authentication / OAuth / 02. GitHub Strategy / Problem & Solution apps, when clicking "Login wit...
    • βœ…1
     3 Β· a year ago
  • general
    Epicshop is now social and mobile friendly!
    Kent C. Dodds β—† πŸš€πŸ†πŸŒŒ:
    I'm excited to announce that now the Epic Web workshops are mobile friendly! https://foundations.ep...
    • πŸŽ‰2
     0 Β· a year ago