platypush/platypush
platypush
/
platypush
2
2
Fork 4
Code Issues 44 Pull Requests 1 Packages Projects 4 Releases Wiki Activity

Restore previous JWT tokens generation logic #237

New Issue
Closed
opened 2022-12-16 23:19:12 +01:00 by blacklight · 0 comments
blacklight commented 2022-12-16 23:19:12 +01:00
Owner
Copy Link

In the previous implementation of the JWT generation logic the service's private key was used to encrypt the authentication payload (without the password), and the public key was used to decode it.

The new logic (using Python's native rsa module instead of cryptography) uses instead the service's public key to encrypt the payload (including the password) and the private key to decrypt it. The decoded password is then used to authenticate the user.

We want to go back to the previous logic for two reasons:

  1. Encrypting the user's password in a JWT token is not particularly safe, even if only the service can decrypt it using its private key.

  2. If users change their passwords, their JWT tokens will be invalidated.

In the previous implementation of the JWT generation logic the service's private key was used to encrypt the authentication payload (without the password), and the public key was used to decode it. The new logic (using Python's native `rsa` module instead of `cryptography`) uses instead the service's public key to encrypt the payload (including the password) and the private key to decrypt it. The decoded password is then used to authenticate the user. We want to go back to the previous logic for two reasons: 1. Encrypting the user's password in a JWT token is not particularly safe, even if only the service can decrypt it using its private key. 2. If users change their passwords, their JWT tokens will be invalidated.
blacklight self-assigned this 2022-12-16 23:19:12 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
304-new-picovoice-integration
286/merge-foursquare-backend
271/runtime-integrations
stable
317-ci-cd-automation-for-stable-branch
311/auto-generate-deps-docs
v0.50.3
v0.50.2
v0.50.1
v0.50.0
v0.24.5
v0.24.4
v0.24.3
v0.24.2
v0.24.1
v0.24.0
v0.23.6
v0.23.5
v0.23.4
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.10
v0.22.9
v0.22.8
v0.22.7
v0.22.6
v0.22.5
v0.22.4
v0.22.3
v0.22.2
v0.22.1
v0.22.0
v0.21.4
v0.21.3
v0.21.2
v0.21.1
v0.21.0
v0.20.10
v0.20.9
v0.20.8
v0.20.7
v0.20.6
v0.20.5
v0.20.4
v0.20.3
v0.20.2
v0.20.1
v0.20.0
v0.13.9
v0.13.8
v0.13.7
v0.13.6
v0.13.5
v0.13.4
v0.13.3
v0.13.2
v0.13.1
v0.13.0
v0.12.10
v0.12.9
v0.12.8
v0.12.7
v0.12.6
v0.12.5
v0.12.4
v0.12.3
v0.12.2
v0.12.1
v0.12.0
v0.11.5
v0.11.4
v0.11.3
v0.11.1
v0.11.0
v0.10.9
v0.10.8
v0.10.7
0.10.6
v0.10.6
v0.10.5
0.10.4
0.10.2
0.10.1
0.10
0.9.6
0.9.3
0.9.2
Labels
Clear labels   
architecture

   
bug

   
ci/cd

   
cleanup

   
documentation

   
duplicate

   
enhancement

   
good first issue

   
help wanted

   
in progress

   
invalid

   
new feature

   
packaging

   
question

   
ui

   
waiting user input

   
wontfix
No Label
architecture
bug
ci/cd
cleanup
documentation
duplicate
enhancement
good first issue
help wanted
in progress
invalid
new feature
packaging
question
ui
waiting user input
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
blacklight
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: platypush/platypush#237
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?