-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[webflow to gatsby] Best way to secure user sessions blog #196
[webflow to gatsby] Best way to secure user sessions blog #196
Conversation
✅ Deploy Preview for gracious-clarke-e6b312 ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
||
The critical auth token is perpetually exposed over two attack surfaces, the frontend, and the backend and occasionally exposed over transit. | ||
|
||
*Effect of stolen auth tokens:* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
*Effect of stolen auth tokens:* | |
*Effect of stolen auth tokens:* | |
|
||
Refresh token stolen: Detection of theft will enable the stolen refresh token to be invalidated, limiting the damage to a short period of time | ||
|
||
*Detection of theft:* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
*Detection of theft:* | |
*Detection of theft:* | |
- If both, the victim and the attacker, use RT0 at the same time, then one would get (RT1, AT1), and the other (RT2, AT2). The next request by either of them with the new access token would either invalidate RT1 or RT2, resulting in either the victim or the attacker to be eventually[[1]](#footnotes) logged out. Again, here the backend would get a clear indication of theft. | ||
|
||
|
||
*Once detected:* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
*Once detected:* | |
*Once detected:* | |
…rtokens/blog into blog/revoking-access
Related Issue
adds Best way ti secure user sessions blog
Link to Google Doc
TODO
Checklist
Remaining TODOs