loading...
Cover image for Daily Is Now More Secured Than Ever
daily.dev

Daily Is Now More Secured Than Ever

idoshamun profile image Ido Shamun ・2 min read

Security is our top priority! We cannot comprise your personal data and we take it very seriously. Recently, we have introduced a new login flow to maximize the security of our authentication system. The new flow is based on OAuth 2.0 Proof Key for Code Exchange (PKCE) and primarily targets mobile apps and SPA (single page apps).

Furthermore, we take more steps of caution and remove from the client’s storage any information that has to do with the authentication such as access tokens. By doing so, we reduce the risk of XSS attacks and others.

What is OAuth 2.0?

OAuth 2.0 is the industry-standard protocol for authorization. It defines everything you need to know to build a secure authentication system for different use cases. The standard covers login flows for native apps (mobile/desktop/SPA), server-side rendering apps and even devices with no keyboard or browser. It covers even more topics than the login flows such as token management, information sharing between apps and a lot more. Take a look at the official website for more information.

What is special about OAuth 2.0 PKCE?

I highly recommend reading this article “Implement the OAuth 2.0 Authorization Code with PKCE Flow” by Okta but anyway, here is a summary:

The motivation for writing a new specification is to provide an authentication solution for public or untrusted clients. Until PKCE, the flow used a fixed secret to validate the authentication request. This is not safe for public clients and should be done only in a secured and private environments such as servers. In public clients, you can easily inspect the source code and extract this fixed secret. PKCE introduces a dynamically-generated secret. The app generates this secret, called Code Verifier before it starts the login flow. The app then hashes the Code Verifier into a Code Challenge. The brand new generated Code Challenge is sent as a parameter to initialize the login flow. From there, we follow the regular OAuth 2.0 Authorization Code flow with a slight change at the end, before completing the authentication the app has to send the Code Verifier. With the Code Verifier the server can use the same hashing algorithm and validate that indeed the same client did the whole process from start to finish before issuing the access token and giving permissions to the client.

Action Required

We highly recommend updating Daily to the latest version available in the store to make sure you are protected as we want you to be, the new authentication is available since version 2.10.6. As part of this upgrade, you will be automatically logged out and your next login will be covered by our new authentication flow.

Got a Question?

We are here for any issue you might tackle along this process, and will be happy to support you.
You can also reach us out on Twitter, GitHub or via email at contact@dailynow.co.

The Daily team wishes you safe and happy browsing in one of the greatest dev news curator.

Posted on Mar 19 '19 by:

idoshamun profile

Ido Shamun

@idoshamun

Co-Founder The Elegant Monkeys, Co-Maker of Daily and a passionate software developer

Discussion

markdown guide
 

Thanks for this nice article.

And I am glad to hear that

Daily Is Now More Secured Than Ever

Although I am no customer. What drove me to the article was that reading about improving security always catches my interest.

I wished this article had two diagrams in it

  • one showing the OAUTH flow

  • one showing how PKCE changes the game

Somewhere in the middle of the text is the description of what the gains with dynamic secrets are and what is done. But I think, this article would benefit from diagrams. Then it would read less than typical PR of »Hey, we made stuff more secure« ;)

 

I have a plan for a follow-up blog post about the implementation itself in nodejs. Stay tuned :)