Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auth implementation is not secure. #4

Open
dominicgaliano opened this issue Oct 16, 2023 · 0 comments
Open

Auth implementation is not secure. #4

dominicgaliano opened this issue Oct 16, 2023 · 0 comments

Comments

@dominicgaliano
Copy link

I don't believe that this system is very secure, as:

  • There is no way to invalidate tokens.
  • On logout, the user is simply passed an expired token.
  • This means that a bad actor could easily use the old token to access the account.
  • Only safeguard is sending the token as an httpOnly cookie, which merely prevents scripts from accessing the token on supported browsers.

In general, JWTs should have short times to expiry unless they can be revoked (such as by using a whitelist/blacklist on server).

Decreasing the JWTs time to live will only decrease user satisfaction by requiring more frequent re-logins.

The best way to solve the issue (in my opinion) would be to save some kind of session-based approach. This will reduce the scalability of the app, though this could be improved by implementing a dedicated auth server or by using a 3rd party authentication provider.

Not sure whether this is in the scope of the project, but I wanted to get these concerns out there just in case anyone is considering using this auth scheme in their own projects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant