So I’m trying to work out how to use the Basic Authentication that Dash provides to keep track of which user logged in and store that information so I can display a page with customized information but I am uncertain how Dash handles things.
From the looks of it, the basic auth gets called on page load and the username can be stored in a variable but as it’s not in the actual app yet it would be stored as a global variable. Wouldn’t that get altered again then when another user starts using the page?
One solution I’ve been thinking of is to just start the app normally with two main divs. One with a login form and the rest hidden. Upon entering the right user/pass combo, the login form becomes hidden, and the rest of the page is unhidden with the contents dynamically created based on the username. The username would just be stored in a hidden intermediate value div.
This seems to be seemingly easier to implement and allow multiple users to use the same instance of the app with their own pages displayed. I am however concerned that there may be some inherent security risks that I am unaware of.
For security I’m planning to:
Store the user info in an sql database. Username will be in one table, a cryptographically-secure-pseudo-random salt in another database, and a hashed version of the combo of the password+salt in the same database/table as the username. The password provided by the user attempting to login will be combined with the salt, hashed, and then compared to the stored hashed, password+salt combo. The login info for the sql server itself will be stored in a separate config file so all the app sees are variables.
I’ll be doing my best to check the inputs for SQL injection attacks as well.
Are there any things I haven’t thought of or reasons why this approach just wouldn’t work?