...
The LoginResource returns the response back to the user. The LoginResource needs to get the name of the user, so that it may check if the login is correct and that it knows who the create token is for. If LoginResource doesn't know the username, then duplicate code will be created in the LoginController. The response changes if the verify proces is not correct. This creates an 403 response back to the resource and will throw an exception in the code. If it is correct, then it will execute createToken and getUserWithUsername. The userDAO needs to create a LoginRequestDTO class, so that it may store the data from the database in the code. This data is then added in an array called users, that gets called back to LoginController. In createToken there is a new create message being send to LoginResponseDTO. This happens, so that the response back to the user contains a token and a username.
Design decisions
Decision | Description |
|---|---|
Problem/Issue | The password can't be seen in the database, so that hackers aren't able to login to other accounts. |
| Decision | Using Argon2, we can hash the passwords of users, so that a hashed password is stored in the database. This prevents hackers from seeing someone elses password. |
| Alternatives | SHA-512, MD5, PBKDF2, BCrypt, and SCrypt (Millington, 2022) |
| Arguments | From an comment in Baeldung (Millington, 2022), I saw Argon2 being suggested. Going to the Supertokens website (Supertokens Team, 2022), I found a tool that detects how safely a password is. With that Supertokens also recommended to use this hashing tool this march, which is quite recent. It uses more resources from your computer, but it makes a stronger password from it. Regterschot Racing required minimum security, that also includes a hashed password. |
...