Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improvements for Paseto authentication by signing Payload #105

Open
LorenzoS92 opened this issue Aug 3, 2022 · 0 comments
Open

Improvements for Paseto authentication by signing Payload #105

LorenzoS92 opened this issue Aug 3, 2022 · 0 comments
Labels
enhancement New feature or request

Comments

@LorenzoS92
Copy link
Contributor

Improve Paseto Authentication by sign also the entire payload, as suggested in Paseto V4 implementations.

Following example, explains the ways to do: https://github.com/aidantwoods/go-paseto#go-paseto

publicKey, err := paseto.NewV4AsymmetricPublicKeyFromHex("1eb9dbbbbc047c03fd70604e0071f0987e16b28b757225c11f00415d0e20b1a2") // this wil fail if given key in an invalid format
signed := "v4.public.eyJkYXRhIjoidGhpcyBpcyBhIHNpZ25lZCBtZXNzYWdlIiwiZXhwIjoiMjAyMi0wMS0wMVQwMDowMDowMCswMDowMCJ9v3Jt8mx_TdM2ceTGoqwrh4yDFn0XsHvvV_D0DtwQxVrJEBMl0F2caAdgnpKlt4p7xBnx1HcO-SPo8FPp214HDw.eyJraWQiOiJ6VmhNaVBCUDlmUmYyc25FY1Q3Z0ZUaW9lQTlDT2NOeTlEZmdMMVc2MGhhTiJ9"

parser := paseto.NewParserWithoutExpiryCheck() // only used because this example token has expired, use NewParser() (which checks expiry by default)
token, err := parser.ParseV4Public(publicKey, signed, nil) // this will fail if parsing failes, cryptographic checks fail, or validation rules fail

// the following will succeed
require.JSONEq(t,
    "{\"data\":\"this is a signed message\",\"exp\":\"2022-01-01T00:00:00+00:00\"}",
    string(token.ClaimsJSON()),
)
require.Equal(t,
    "{\"kid\":\"zVhMiPBP9fRf2snEcT7gFTioeA9COcNy9DfgL1W60haN\"}",
    string(token.Footer()),
)
require.NoError(t, err)

As you can see in this example, the payload data is checked with the token.
We should implement this to avoid replay attacks with the token.
@LorenzoS92 LorenzoS92 added the enhancement New feature or request label Aug 3, 2022
@LorenzoS92 LorenzoS92 added this to the Technical Demo milestone Aug 3, 2022
@LorenzoS92 LorenzoS92 self-assigned this Aug 3, 2022
@LorenzoS92 LorenzoS92 moved this from Ready to In Progress in Developers Italia API - Demo Aug 24, 2022
@LorenzoS92 LorenzoS92 moved this from In Progress to Ready in Developers Italia API - Demo Aug 24, 2022
@LorenzoS92 LorenzoS92 removed this from the Technical Demo milestone Aug 24, 2022
@bfabio bfabio reopened this Oct 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
No open projects
Developers Italia API - Demo
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bfabio @LorenzoS92