Migrate default server-side tokens from JWT to stored tokens #419

Closed
opened 2024-07-25 23:38:21 +02:00 by blacklight · 0 comments
Owner

The JWT mechanism is relatively brittle.

Since the JWT isn't stored on the server, it needs to carry the authentication info of the user, be decrypted as JSON on the server when a request is received, and then undergo a normal authenticate(user, pwd) flow.

This is problematic for three reasons:

  1. If the user password changes, all of their JWT tokens will be invalidated.
  2. It bypasses any configured 2FA mechanisms.
  3. It doesn't provide granular control to invalidate only some sessions - the only way to invalidate a session is to change the password, and that invalidates all the tokens.

Platypush should instead rely on random stored session tokens for this job.

The tokens' bcrypt hashes should then be stored on the application db.

The JWT mechanism is relatively brittle. Since the JWT isn't stored on the server, it needs to carry the authentication info of the user, be decrypted as JSON on the server when a request is received, and then undergo a normal `authenticate(user, pwd)` flow. This is problematic for three reasons: 1. If the user password changes, all of their JWT tokens will be invalidated. 2. It bypasses any configured 2FA mechanisms. 3. It doesn't provide granular control to invalidate only some sessions - the only way to invalidate a session is to change the password, and that invalidates all the tokens. Platypush should instead rely on random stored session tokens for this job. The tokens' bcrypt hashes should then be stored on the application db.
blacklight added this to the v1.2.0 milestone 2024-07-25 23:38:21 +02:00
blacklight added the
backend
new feature
ui
authentication
labels 2024-07-25 23:38:21 +02:00
blacklight self-assigned this 2024-07-25 23:38:21 +02:00
blacklight added this to the core project 2024-07-25 23:38:21 +02:00
blacklight added reference 419/api-tokens 2024-07-26 02:32:09 +02:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: platypush/platypush#419
No description provided.