Restore previous JWT tokens generation logic #237
Labels
No Label
architecture
bug
ci/cd
cleanup
documentation
duplicate
enhancement
good first issue
help wanted
in progress
invalid
new feature
packaging
question
ui
waiting user input
wontfix
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: platypush/platypush#237
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
In the previous implementation of the JWT generation logic the service's private key was used to encrypt the authentication payload (without the password), and the public key was used to decode it.
The new logic (using Python's native
rsa
module instead ofcryptography
) uses instead the service's public key to encrypt the payload (including the password) and the private key to decrypt it. The decoded password is then used to authenticate the user.We want to go back to the previous logic for two reasons:
Encrypting the user's password in a JWT token is not particularly safe, even if only the service can decrypt it using its private key.
If users change their passwords, their JWT tokens will be invalidated.