Most secure way of logging in for my project

I can’t impersonate them; they’re using their Replit account to login, not an account that you can make through the forum.
There’s a lower risk of being hacked.

2 Likes
  1. Use Firebase or Supabase; makes it simple and easy. (but also really secure)
3 Likes

What about MongoDB? Is it safe too?

1 Like

I’d say option 4 but with a more common authentication (or multiple). Maybe Google or something.
If you use an established third party, then you don’t have to worry about attackers, you don’t have to implement all of the various things that are necessary for protecting passwords, and user login info is much more safe.

4 Likes

Option 4 is the safest option because it outsources the authentication to a third party that specializes in this process, similar to using OAuth with providers like Google or Facebook. This way, you never handle the passwords directly, which reduces the risk. However, you would still need to manage sessions securely and ensure that only authenticated users can perform actions on your forum. If you choose to handle passwords yourself, opt for option 1. However, ensure you use a reputable password hashing function such as bcrypt, which is designed for that purpose. Always store the hash and the salt, not the actual password. Avoid using plain text or self-created ciphers to store sensitive information. It is also crucial to use HTTPS to secure data in transit and consider implementing additional security measures, such as two-factor authentication, for enhanced security.

7 Likes

Use either hashing or Repl’s authentication. Nothing else ever.

3 Likes

Repl’s auth doesn’t have a logging out option.

yes and no. What you meant to say was…

1 Like

You can remove the cookie, I’m pretty sure, that ‘logs you out’.

1 Like

Do you know how to redirect a user to a /forum route from the / route. The login is in /. May I add that I am not using from replit import web, but instead using request parameters as stated in the docs.

Don’t see why you need a separate /forum route, also don’t see why you aren’t using replit.web, but:

from flask import Flask, redirect, request, url_for

...

@app.route('/')
def index():
    if request.headers.get('X-Replit-User-Name'):
        return redirect(url_for('forum'))
    ...

@app.route('/forum')
def forum():
    ...

Well, they’re part of a return.
Let me give you the code.

Here’s the code @QwertyQwerty88 :

@app.route('/')
def home():
  return render_template(
    'home.html',
    user_id=request.headers['X-Replit-User-Id'],
    user_name=request.headers['X-Replit-User-Name'],
    user_roles=request.headers['X-Replit-User-Roles'],
  )

Do you want to redirect the user to /forum when he goes to / ?

@app.route('/')
def home():
    return redirect(url_for('forum'))

@app.route('/forum')
def forum():
    return render_template(
    'home.html',
    user_id=request.headers['X-Replit-User-Id'],
    user_name=request.headers['X-Replit-User-Name'],
    user_roles=request.headers['X-Replit-User-Roles'],

No, it should ask the user to login in /, where home.html has a login button. Then, after collecting the headers (needs to be in return), it should redirect to /forum.
Maybe @QwertyQwerty88 can help?

@app.route('/')
def home():
    return render_template('home.html')

@app.route('/login', methods=['POST'])  # this is where these login forms are sent
def login():
    make_login()  # the login process
    return redirect(url_for('forum'))

@app.route('/forum')
def forum():
    return render_template(
    'home.html',
    user_id=request.headers['X-Replit-User-Id'],
    user_name=request.headers['X-Replit-User-Name'],
    user_roles=request.headers['X-Replit-User-Roles'],

i tried to no avail :frowning:

heard of firebase? it has a very useful auth framework

2 Likes

yes and no. Where can you find firebase auth? I’m kinda new to this firebase system.

3 Likes

When I have a spare minute I’ll try and see if I can get it working and make a demo.

2 Likes

I remember that this only works if you can do it serverside because it is an HTTP only cookie.

1 Like