05. Login/01. Login (๐Ÿ solution)

Login

๐Ÿ‘จโ€๐Ÿ’ผ Stellar! Now we can really be sure the user is who they say they are when they log in. Next, let's add some utilities that will make it much easier to access the user's information throughout our UI from anywhere in the app.

Timing Attacks

๐Ÿฆ‰ I want to take a moment to talk about timing attacks. We're currently vulnerable to these though it doesn't matter to us. A timing attack is essentially a way to figure out a secret by measuring how long it takes to perform an operation. In our case, we're vulnerable because we're using bcrypt.compare to compare the user's password to the hash in the database. But before we do that, we're checking to see if the user exists. If the user doesn't exist, we return early.
So an adversary could determine if a user exists by measuring how long it takes to get a response from the server. If the user doesn't exist, the response will be faster than if the user does exist.
In our application, the users are public knowledge so it doesn't matter if an adversary can figure out if a user exists or not. Additionally, we require the username to be unique so an adversary could simply sign up for an account to figure out if a user exists or not.
But, imagine a scenario where an adversary is trying to determine if a user with a specific email has an account at a certain bank. That would probably be a bad thing, so it would be a good idea for that bank to hide the fact that a user exists or not. They could do this by always returning a response, even if the user doesn't exist and ensuring that response takes a random amount of time regardless of whether the user exists or not.

Kellie's work

๐Ÿงโ€โ™‚๏ธ I'm going to make a few changes for you to help you focus on your task, specifically, I'm going to:
  1. add a (non-functional) logout button to the user's page if they're looking at their own profile.
  2. Only display the note delete and edit buttons if the user is the owner of the note.
  3. Only display an "add note" link if the user's looking at their own notes.
None of these will be wired up (that's your job), but they'll help you see what you're working towards. And it's important to note that just because we don't display the UI for something, it doesn't mean the user can't do that with sophisticated tools so we'll definitely want to add some logic on the backend too. We'll get to that later though.
As always, if you want to, you can review my work.
โ† PreviousNext โ†’
Edit on GitHub
problemsolutiondiffchat

Please set the playground first

Loading "Login"
Loading "Login"
Login to get access to the exclusive discord channel.
  • general
    Resource / Api endpoints on epic stack / RR7
    Lucas Wargha ๐Ÿš€ ๐ŸŒŒ:
    Hi everyone! Quick question for those using the Epic Stack: How are you handling resource routes ...
    • โœ…1
     2 ยท 8 days ago
  • general
    Epic stack using tanstack form
    Lucas Wargha ๐Ÿš€ ๐ŸŒŒ:
    https://github.com/epicweb-dev/epic-stack/compare/epicweb-dev:main...wargha:feature/tanstack-form-ex...
    • โœ…1
     3 ยท 25 days ago
  • general
    Init command outdated on the EpicWeb website
    Virgile ๐Ÿ† ๐ŸŒŒ:
    Hi everyone. I've initialized a new epic-stack project yesterday. Following instructions from http...
    • โœ…1
     3 ยท a month ago
  • general
    Welcome to EpicWeb.dev! Say Hello ๐Ÿ‘‹
    Kent C. Dodds โ—† ๐Ÿš€๐Ÿ†๐ŸŒŒ:
    This is the first post of many hopefully!
    • 18
     81 ยท 2 years ago
  • general
    epic stack website initial load at home page is unstyled (sometimes)
    osmancakir ๐Ÿš€ ๐ŸŒŒ:
    Sometimes (especially when it is loaded first time on a new browser etc.) I see this unstyled versio...
    10 ยท 2 months ago
  • ๐Ÿ”auth
    Roles seed
    Baghira ๐ŸŒŒ:
    I haven't understood why we do the manual migration in for patch the permissions and roles into the ...
    • โœ…1
     2 ยท a month ago
  • general
    Mark as complete, resets the first time you click it.
    Daniel V.C ๐Ÿš€ ๐ŸŒŒ:
    Not sure if anyone else has had this issue, as i've not seen anyone else talk about it, but I find ...
    • โœ…1
     8 ยท a month ago
  • ๐Ÿ’พdata
    general
    ๐Ÿ“forms
    ๐Ÿ”ญfoundations
    double underscore?
    trendaaang ๐ŸŒŒ:
    What with the `__note-editor.tsx`? I don't see that in the Remix docs and I don't remember Kent talk...
    • โœ…1
     2 ยท a year ago
  • general
    Keeping Epic Stack Projects Free on Fly โ€“ Any Tips?
    Lucas Wargha ๐Ÿš€ ๐ŸŒŒ:
    Iโ€™ve been experimenting with the Epic Stack and deploying some dummy projects on Fly. I noticed that...
    • โœ…1
     0 ยท a month ago
  • ๐Ÿ’พdata
    general
    ๐Ÿ“forms
    ๐Ÿ”ญfoundations
    Creating Notes
    Scott ๐ŸŒŒ ๐Ÿ†:
    Does anybody know in what workshop we create notes? I would like to see the routing structure. So fa...
    • โœ…1
     2 ยท 4 months ago
  • ๐Ÿ”ญfoundations
    ๐Ÿ’พdata
    general
    ๐Ÿ“forms
    ๐Ÿ”auth
    Thank you for the inspiration
    Binalfew ๐Ÿš€ ๐ŸŒŒ:
    <@105755735731781632> I wanted to thank you for the incredible knowledge I gained from your Epic Web...
    • โค๏ธ1
     1 ยท 4 months ago
  • general
    npm install everytime I setup a new playground
    Duki ๐ŸŒŒ:
    Is it normal that I have to run `npm install` in my playground directory, everytime I setup the play...
    • โœ…1
     2 ยท 6 months ago
  • ๐Ÿ”auth
    The latest web-auth workshop cannot be launch
    QzCurious ๐ŸŒŒ ๐Ÿš€:
    I've done: 1. Remove web-auth directory 2. Follow https://github.com/epicweb-dev/web-auth?tab=readme...
    • โœ…1
     7 ยท 7 months ago
  • general
    Migration to Vite: Server-only module referenced by client
    Fabian ๐ŸŒŒ:
    Hi, I'm working on migrating to Vite following the remix docs (https://remix.run/docs/en/main/guides...
    • โœ…1
     1 ยท 8 months ago
  • ๐Ÿ”auth
    Github token added on refactor of connection model exercise
    abraham_aguilera ๐ŸŒŒ:
    Where does the newly created `GITHUB_TOKEN` come from in the `resolveConnectionData` introduced in t...
    • โœ…1
     2 ยท a year ago
  • ๐Ÿ”auth
    Potential Security Concern with Empty Session Data in createCookieSessionStorage?
    QzCurious ๐ŸŒŒ ๐Ÿš€:
    Since session data can be an empty object, it seems possible that someone could guess when encrypted...
    • โœ…1
     6 ยท 7 months ago
  • general
    Remix Vite Plugin
    Binalfew ๐Ÿš€ ๐ŸŒŒ:
    <@105755735731781632> Now that remix officially supports vite (though not stable) what does it mean...
    • โœ…1
     3 ยท 2 years ago
  • general
    ๐Ÿ”ญfoundations
    Solutions video on localhost:5639 ?
    quang ๐Ÿš€ ๐ŸŒŒ:
    Hi, so I'm having a hard time navigating (hopefully will be better with time) The nav on epicweb.de...
    • โœ…1
     9 ยท 2 years ago
  • ๐Ÿ”auth
    Where are we getting target_type from?
    Salym ๐Ÿš€ ๐Ÿ† ๐ŸŒŒ:
    I don't see target_type in ur verification schema, how are we generating this?
    • โœ…1
     9 ยท 10 months ago
  • ๐Ÿ”auth
    Unknown file extension ".png" for ".../user.png"
    TraderDave79 ๐ŸŒŒ:
    I'm going through the `web-auth` module and in the "Require Authenticated" exercise, after making th...
    • โœ…1
     9 ยท a year ago
  • ๐Ÿ”auth
    github.com refuses to connect in workshop app
    TraderDave79 ๐ŸŒŒ:
    Web Authentication / OAuth / 02. GitHub Strategy / Problem & Solution apps, when clicking "Login wit...
    • โœ…1
     3 ยท a year ago
  • general
    Epicshop is now social and mobile friendly!
    Kent C. Dodds โ—† ๐Ÿš€๐Ÿ†๐ŸŒŒ:
    I'm excited to announce that now the Epic Web workshops are mobile friendly! https://foundations.ep...
    • ๐ŸŽ‰2
     0 ยท a year ago
  • ๐Ÿ”auth
    RBAC with Entity scoping
    abraham_aguilera ๐ŸŒŒ:
    Hi all! I'm working on implementing access control but I want to be able to scope permissions per en...
    • โœ…1
     3 ยท a year ago
  • ๐Ÿ”auth
    ๐Ÿ’พdata
    08. ROLE-BASED ACCESS / 02. ROLES SEED - migration to local vs production
    Fabian ๐ŸŒŒ:
    So I'm in a bit over my head with this one, in particular with how migration works in a local env vs...
    • โœ…1
     1 ยท a year ago