(this topic was solved - can a moderator close this?)
I’m not from Romania, but in general your admin dashboard (where you see and control user info) should be locked down with passwords, one time access codes etc. And passwords should be hashed and salted, also- the user should have the right to see what your collecting under GDPR regulations.
could you explain? any info collected from auth forms should be requestable by the user
Say I sign up to your site- I should have the right to ask for my IP, or my username and stuff like that. But only after I have gone through a thorough process to prove my identity
Follow these steps:
lock down the page where you can see user info- all passwords should be hashed and not be seen, not even by admins.
Allow people to request data you collect, discord for example offers users the option to see what info discord has collected. In this case make sure they can prove their identity
Make a privacy notice- tell people where and what their data is going to be used for.
Admins should be people who can be trusted not to disclose user info to the outside world
Edit: I typed this before 17lwinn posted this so I don’t mean for this to be a duplicate
@LankyBox01 also, you should only collect relevant user data (passwords, usernames etc) and destroy them when they are no longer needed.
@aboutDavid thanks for the extra reply!
Also, you should hash your users passwords using something like bcrypt. And if you impersonate users you (possible, maybe) could be sued/your users could lose their trust in you.
From experience- even the tightest systems can be penetrated by a backdoor. Admin interfaces especially should be handled with caution.
I am collecting it in case someone forgets their password, or is hacked, so admins can run the users through a test to check if they actually are “themselves” so they can give the password back to them.
So i don’t think i can destroy the info…
Also, i am keeping them in the .env file
No, you should allow them to reset their password instead of giving it to them. If you store non-hashed passwords, then you are vulnerable to database breaches and your users will be really mad at you because you could have prevented it but you just didn’t hash passwords.
i don’t think i can do that.
firstly, never keep passwords in .env- projects can be hijacked and the .env is never 100% safe.
Always store in a safe place- like a hidden folder or external service like mongodb atlas.
how can i make a file allowed only for certain google accounts?
Just use Firebase Auth. It’s really easy to use and supports oAuth.
Hey, also forgot- the glitch TOS REQUIRES contains what you must do with user data collected on a glitch site.
Can you link to that section? I auctally never saw it
hang on let me find it…
ah here we are- section F privacy:
If you collect any Personal Information from a User, you agree that you will only use the Personal Information you gather for the purpose for which the User has authorized it. You agree that you will reasonably secure any Personal Information you have gathered from the Services, and you will respond promptly to complaints, removal requests, and ‘do not contact’ requests from us or Users.
Also if you really want good legal advice, you should probably ask in r/legaladvice as they have better legal advice then us