Dev/Oauth

Svelte -> Lucia -> argon2 Lucia is a reference for session-based web app auth. It contains example code snippets and projects for implementing session-based auth within SvelteKit and other JS projects. You can add code which follows the Lucia guide to your project with npx sv create when creating a new project or npx sv add lucia for an existing project. src: svelte recommends using Lucia npx sv add lucia uses import { hash, verify } from '@node-rs/argon2'; and example code from Lucia also uses the same library...

toc secure flow original without PKCE secure flow with PKCE detailed flow examples (with PKCE) secure flow original without PKCE state param prevents CSRF 1) [front-channel] browser -> my-app GET [my-app.com/login](http://my-app.com/login) **- generate random value: state** < redirect to [auth-server.com/auth](http://auth-server.com/auth) (response_type, client_id, redirect_uri, scope, **state**) 2) [front-channel] browser -> auth-server GET [auth-server.com/auth](http://auth-server.com/auth) (response_type=code, client_id, redirect_uri, scope, **state**) < redirect to [my-app.com/redirect](http://my-app.com/redirect) (code, state) 3) [front-channel] browser -> my-app/redirect GET [my-app.com/redirect](http://my-app.com/redirect) (code, **state**) **- verifies state** 4) [back-channel] my-app -> auth-server POST [auth-server....

https://udemy.com/course/oauth-2-simplified bad: implicit flow → everything passes through url bar (aka front channel) through ‘front channel’ aka address bar good: back channel (aka HTTPS between browser & server → AJAX js call) client id client secret (aka client password) flow app builds url to redirect user to the auth server scope redirect uri client id login & approve & redirect back authorization code one-time-use short expiration date only usable once app contacts auth server authorization code client secret alternative to “authorization code” flow (when no client secret - aka public client) PKCE - Proof Key Code Exchange...