You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
implement refresh token and secure the shit out of it (phone: secure storage, http only cookie)
shorten jwt validity to minutes
implement /api/auth/logout-all (regen shared secret or something so that everything gets invalid)
implement refresh token blacklist, clean it on logout-all event
check jwt algs, alg none prevention must be hardcoded
check if we prevent rsa public key used hmac shared secret (dont allow algorithms use the wrong keys / with each key store what algo its for and what kind of key it is)
microservices running on different instances will need to know the public keys used for signing tokens. public keys need to be cycled. to ensure the right pubkey is used for jwt verification, add a kid claim to jwt and a /api/auth/jwt/keys endpoint where microservices can fetch keys periodically.
add /api/auth/jwt/exchange to exchange i.e. browser jwt for device jwt.
decouple auth completely from glued so that we dont have to proxy requests via php
break foreign key constraints on users
without fk, we can't cascade delete. so either all uS need a delete api accepting a user id (with gdpr maybe anonymize and hide) or we need a webhook (publish/subscribe thing).
/api/auth/jwt/revoke for user pressing logout button (store db what to kill?, put it into tokens? - maybe just have a webhook that will tell everybody to ignore all jwts issued from time_when_user_logged_out() - 3600 till time_when_user_logged_out() .. then each service will have a local cache of tokens to ignore ) ... maybe allow to revoke one refresh token or revoke all tokens for a user id.
remember all issued refresh tokens and devices they were issued for (so this is mostly like a session)
store all logins for all time
handle semi-logged in users (i.e. password change required, or email not verified, or 2fa, ... leave users without a jwt or with a jwt without roles).
decide where the fuck we stick in the sso and social logins shit and what shit it shall be :) @zelitomas
The text was updated successfully, but these errors were encountered:
kid
claim to jwt and a/api/auth/jwt/keys
endpoint where microservices can fetch keys periodically.The text was updated successfully, but these errors were encountered: