Implemented Jwt and Oauth2.0 Authentication #67
Conversation
There was a problem hiding this comment.
Hi @ ,
Thank you for your prompt work on this issue. I appreciate your dedication to the project.
I have reviewed your work, and I need some changes.
- Use constructor Injection not autowired.
- Where is login and logout controller.
Once again, thank you for your contribution! ❤️
|
Hi! @ajaynegi45 |
|
Hey! @ajaynegi45 |
Yes, It will take some time. |
|
Hi @rishabhrawat05, While running your code, I encountered an issue with the missing
Could you please address this? |
Hey! @Guhapriya01 |
|
Thanks, @rishabhrawat05! I’ll go ahead and try setting the Env: production along with configuring the client-id and client-secret in the |
|
Hi @rishabhrawat05, I’ve reviewed your changes, and they look good! However, I noticed a potential security issue with the Recommendations:
Additionally:
I’d love to hear your thoughts on these suggestions! |
|
Hey! @Guhapriya01 |
|
Hey! @Guhapriya01 |
|
Hi @rishabhrawat05, Thanks for implementing the changes! I’ll review them shortly and get back to you. |
|
Thanks @rishabhrawat05 for the quick changes! Everything looks good. I noticed that the |
Hey! @Guhapriya01 |
|
Hey @rishabhrawat05, I understand the challenge you're facing. If we assume there's already an existing admin, one solution is to manually assign the Once we have an admin, they can use secured API endpoints like This approach is common, and I’ve seen it work well in a previous project. Let me know if you think this would solve the issue! |
@Guhapriya01 I understand your solution well but I think I have a better option for it why not we ask admin user a secret pass key( String pre defined or hardcoded key) when they signup and using that we can check if key is correct or not and then give them role admin and similarly for librarian |
|
Hey! @Guhapriya01 |
|
Thanks for the updates! I’ll review your changes and get back to you soon. |
|
Hey! @ajaynegi45 |
|
Hi @rishabhrawat05, I noticed that the secret key is exposed in the URL as a path variable. Do you think this is secure? |
Yes as only admin can access this key and then he can signup to that api endpoint where he need that secret key |
I understand, but since the secret key is in the URL, it could be visible to others. Doesn’t that create a security risk? |
So I should create a single in-memory account and that account can access signup which will register more admin user. But in this way the code is visible to anyone and anyone can view admin password so how how this will be secured |
|
Hey! @Guhapriya01 |
|
Hi @rishabhrawat05, Thank you for taking the time to implement the changes! I truly appreciate your effort in adapting the approach. I've reviewed your changes, and I'm happy to say that I've merged your pull request. Everything looks great and aligns well with our project goals. Awesome job! If you have more ideas or want to tackle other issues in the future, feel free to reach out. Your contributions are highly valued and greatly enhance the project. Thanks again for your hard work! ❤️ |
@Guhapriya01 thank you for teaching me something new about security this will elevate my skill and just one more thing please assign the labels that are assigned to this issue as this contribution will not be counted otherwise |
Guhapriya01
added
enhancement
|
@rishabhrawat05, I’m glad to hear that you found the security insights helpful! 😊 I've added the appropriate labels now. Looking forward to collaborating more! |
Thank you for constant support |
Hi! @ajaynegi45
I have implemented all the functionality based on your issue #29