alois/OpenFrontIO
1
0
Fork 0
mirror of https://github.com/openfrontio/OpenFrontIO.git synced 2026-06-21 19:06:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bisect
OpenFrontIO/docs/Auth.md
T
Evan 92d9f7a93c Create a docs folder, add auth & architecture docs (#2623) 
## Description:
Create docs folder
## Please complete the following:

- [x] I have added screenshots for all UI updates
- [x] I process any text displayed to the user through translateText()
and I've added it to the en.json file
- [x] I have added relevant tests to the test directory
- [x] I confirm I have thoroughly tested these changes and take full
responsibility for any bugs introduced

## Please put your Discord username so you can be contacted if a bug or
regression is found:

evan
2025-12-15 09:07:31 -08:00

25 lines
1.3 KiB
Markdown
Raw Permalink Blame History

# Authentication & Authorization Flow
## Token Management
1. **Long-lived refresh token**: Stored as an HTTP-only cookie with a 30-day TTL
2. **Token exchange**: User sends refresh token to the API server, receives a short-lived JWT in return, and the refresh token is rotated
3. **JWT properties**:
- 15-minute TTL (limits damage window if compromised)
- Contains the persistentID
- Stored in memory only (lost on page refresh)
## WebSocket Authorization
1. **WebSocket connection**: When user connects, server validates the JWT and creates a `clientID => persistentID` mapping, establishing that this client is authorized to act on behalf of this persistent identity
2. **Post-connection authorization**: Once WebSocket connection is established, no further token verification is needed. For actions like pause requests, simple ownership checks suffice.
## Key Insight
JWT verification happens once at WebSocket connection time. After that, the established mapping allows for lightweight authorization checks based on clientID rather than repeated token validation.
## Development Mode
When running the game in development, the API server is not active, so the game falls back to checking only persistentIDs for verification instead of JWTs. This is less secure, as stealing a persistentID means the attacker has indefinite control of the victim's account.
Reference in New Issue View Git Blame Copy Permalink