Auth logged-in user to re-enter their password

Has anyone thought about whether it would be possible to add a password confirmation component into the auth setup? I.e. a feature that enables you to require a logged-in user to re-enter their password before being allowed access to a route.

So, your routes file could include, for example, <Reauthenticate>.

  <Route path="/login" page={LoginPage} name="login" />
  <Private unauthenticated="login">
   <Route path="/admin" page={AdminPage} name="admin" />
       <Route path="/very-secret-page" page={VerySecretPage} name="secret"  />

In my experience it is quite a common pattern in apps these days to request password confirmation for critical actions, would be nice if Redwood auth had a way to handle this out of the box?

Ah, that’s a really interesting idea. E.g. for GitHub Settings when you try to make repo-level changes, it requires re-authentication, correct?

I’m not sure you’d have to handle that on the Route level. What about a check at the Layout level for authentication “stale-ness”… e.g. timestamp check to see if user has had to enter password in the past X amount of time. If no, then spin up authentication flow. :thinking:

Just a thought, but maybe we achieve this using scopes on the token? This should be relatively easy with JWTs, adding the predfined set of values to the JWT claims - but again I’m coming from a custom auth standpoint, not a netlify/auth0 auth solution.

My 2p (just want to start a discussion):
In lib/auth.js where you get the currentUser, you can verify the JWT token they’re using and see if they can perform that action. If scopes aren’t included, you can redirect to login page, requesting additional scopes.

But I do think this feels like custom app logic, and probably best not handled in a router.

I’ll watch this thread :slight_smile:

1 Like