Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: add fingerprint to JWT #330

Merged
merged 21 commits into from
Aug 14, 2022
Merged

refactor: add fingerprint to JWT #330

merged 21 commits into from
Aug 14, 2022

Conversation

ravenclaw900
Copy link
Owner

@ravenclaw900 ravenclaw900 commented Aug 10, 2022
edited
Loading

Following best practices from https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.md#token-sidejacking.
Also doesn't send the token with every message, instead storing it in the memory of the backend and only sending it with a dedicated message.

@ravenclaw900
refactor(backend): switch from warp to hyper
3934894
@ravenclaw900
fix(backend): add missing cfg directives
835f178
@ravenclaw900
feat(backend): add TLS back
d67db66
@ravenclaw900
refactor(backend): use soketto instead of tokio_tungstenite
18bb541
@ravenclaw900
Revert "refactor(backend): use soketto instead of tokio_tungstenite"
fb459ce 
This reverts commit 18bb541.
@ravenclaw900
refactor(backend): add missing socket handler functions
1110648
@ravenclaw900
refactor(backend): use own TLS implementation
502c213
@ravenclaw900
perf(backend): remove unneeded Box::pin
5e1dbb3
@ravenclaw900
fix(backend): don't shut down server on failed TCP or TLS connection
4c69a0a
@ravenclaw900
refactor(backend): add tracing spans to everything
679a49e
@ravenclaw900
style(backend): remove extra whitespace
313450b
@ravenclaw900
refactor(backend): make include_dir directory a static instead of a c…
b66d510 
…onst
@ravenclaw900
refactor(backend): don't hang HTTPS server on error
c31e8e4
@ravenclaw900
refactor(backend): accept RSA and PKCS8 keys
647fe5c
@ravenclaw900
refactor(backend): don't send token with every message
d4b0410
@ravenclaw900
refactor(backend): add CSRF token when logging in
116d603
@ravenclaw900
refactor(backend): add fingerprint to tokens
3b3e400
@ravenclaw900
refactor(backend): add fingerprint validation
6ded852
@ravenclaw900
refactor(frontend): remove try catch block
92ccf28
@ravenclaw900
Merge remote-tracking branch 'origin/main' into token-msg
ba10215
@ravenclaw900 ravenclaw900 added the security Fixes to do with authentication or tokens label Aug 13, 2022
@ravenclaw900 ravenclaw900 changed the title refactor(backend): add fingerprint to JWT refactor: add fingerprint to JWT Aug 14, 2022
@ravenclaw900 ravenclaw900 enabled auto-merge (squash) August 14, 2022 15:23
@ravenclaw900 ravenclaw900 merged commit 2a35eed into main Aug 14, 2022
@ravenclaw900 ravenclaw900 deleted the token-msg branch August 14, 2022 15:23
@ravenclaw900
Copy link
Owner Author

ravenclaw900 commented Nov 6, 2022
edited
Loading

I'm probably going to have to revert the fingerprint part of this since it can cause problems with multiple nodes and sending/setting cookies cross-domain.

@ravenclaw900
Copy link
Owner Author

ravenclaw900 commented Nov 6, 2022
edited
Loading

The only way I can think of to get around it would be to only use the token generated by the node with the frontend, and use asymmetric signatures (pub/priv key) to verify the token. It still involves sending the cookie to another domain, but that actually seems like it can be done. The only big problem is getting the public key from the frontend node to the backend node(s), and it also wouldn't allow raw websocket access to only the backend node.

@ravenclaw900
Copy link
Owner Author

Hmm, after doing some research (reading random Reddit comments and looking up interesting things that they talked about), a Diffie–Hellman key exchange might let all of the nodes connect and get one shared secret to verify the token.

@MichaIng MichaIng mentioned this pull request Apr 20, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MichaIng MichaIng Awaiting requested review from MichaIng

Assignees
No one assigned
Labels
security Fixes to do with authentication or tokens
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ravenclaw900