Hello everyone!
I'm integrating an application specific API with a shared FusionAuth server. We've successfully integrated the authentication system, the only missing piece is the password confirmation on risky features, for example:
- A user wants to delete some dangerous data;
- User is authenticated (JWT) and does have all required permissions;
- We wan't a password confirmation to improve user experience with the risky action.
As described in the above scenario, there is no need for a full authentication process, like issuing a new JWT. We would like just to prompt a password confirmation and validate it with FusionAuth.
As an alternative, we are currently duplicating using password on our local database, as the main App doesn't have a "password update" feature yet, we just need to store the hashed value during creation. But that will change in the near future and we'd need to keep the password hashes in sync, not to mention that it is not a good practice to keep the hash outside of FA.
What are your thoughts and suggestions on the matter?
Have a great day 