Security is our top priority! We cannot comprise your personal data and we take it very seriously. Recently, we have introduced a new login flow to maximize the security of our authentication system. The new flow is based on OAuth 2.0 Proof Key for Code Exchange (PKCE) and primarily targets mobile apps and SPA (single page apps).
Furthermore, we take more steps of caution and remove from the client’s storage any information that has to do with the authentication such as access tokens. By doing so, we reduce the risk of XSS attacks and others.
OAuth 2.0 is the industry-standard protocol for authorization. It defines everything you need to know to build a secure authentication system for different use cases. The standard covers login flows for native apps (mobile/desktop/SPA), server-side rendering apps and even devices with no keyboard or browser. It covers even more topics than the login flows such as token management, information sharing between apps and a lot more. Take a look at the official website for more information.
I highly recommend reading this article “Implement the OAuth 2.0 Authorization Code with PKCE Flow” by Okta but anyway, here is a summary:
The motivation for writing a new specification is to provide an authentication solution for public or untrusted clients. Until PKCE, the flow used a fixed secret to validate the authentication request. This is not safe for public clients and should be done only in a secured and private environments such as servers. In public clients, you can easily inspect the source code and extract this fixed secret. PKCE introduces a dynamically-generated secret. The app generates this secret, called Code Verifier before it starts the login flow. The app then hashes the Code Verifier into a Code Challenge. The brand new generated Code Challenge is sent as a parameter to initialize the login flow. From there, we follow the regular OAuth 2.0 Authorization Code flow with a slight change at the end, before completing the authentication the app has to send the Code Verifier. With the Code Verifier the server can use the same hashing algorithm and validate that indeed the same client did the whole process from start to finish before issuing the access token and giving permissions to the client.
We highly recommend updating Daily to the latest version available in the store to make sure you are protected as we want you to be, the new authentication is available since version 2.10.6. As part of this upgrade, you will be automatically logged out and your next login will be covered by our new authentication flow.
The Daily team wishes you safe and happy browsing in one of the greatest dev news curator.