Migrate default server-side tokens from JWT to stored tokens #419
Labels
No labels
architecture
authentication
backend
bug
ci/cd
cleanup
documentation
duplicate
enhancement
good first issue
help wanted
in progress
invalid
media
mobile
new feature
packaging
question
ui
voice
waiting user input
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: platypush/platypush#419
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The JWT mechanism is relatively brittle.
Since the JWT isn't stored on the server, it needs to carry the authentication info of the user, be decrypted as JSON on the server when a request is received, and then undergo a normal
authenticate(user, pwd)
flow.This is problematic for three reasons:
Platypush should instead rely on random stored session tokens for this job.
The tokens' bcrypt hashes should then be stored on the application db.