Rationale:
- I don't want to have the hurdle of a login as it's just a demo.
- The data, however, is confidential, so I want to keep it as secure as possible.
For the app, the user needs to interact with my DB.
The user's data doesn't need to / must not be exposed to any other devices.
The approach I'm testing right now is a uuid7-based session cookie. All data is tied to that user ID. Once the cookie gets deleted, the machine loses access to the data, which is fine. Also, it would be quite challenging to guess correct user IDs from my understanding. The downside I see is that the cookie could be exposed another way. But since this is a demo...
Can you give me any pointers? I don't want to dump too much time into this, yet keep it somewhat secure.
Are there any elegant approaches for something like this?
https://www.w3.org/TR/capability-urls/
Problem is of course that URLs are not treated as a secret, but with widespread TLS I still consider it safe. I do employ some services that make use of it and access logs confirm that it is still a viable solution.
Of course it depends on how well users treat this "secret" and the URL should only be valid for a limited time (That can be much longer than the usual PW reset though, depending on your use case).
Perhaps you could allow the token to be password encrypted.
Store the encrypted token in local storage and store the decrypted token in session storage.