-
-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: add fingerprint to JWT #330
Conversation
This reverts commit 18bb541.
I'm probably going to have to revert the fingerprint part of this since it can cause problems with multiple nodes and sending/setting cookies cross-domain. |
The only way I can think of to get around it would be to only use the token generated by the node with the frontend, and use asymmetric signatures (pub/priv key) to verify the token. It still involves sending the cookie to another domain, but that actually seems like it can be done. The only big problem is getting the public key from the frontend node to the backend node(s), and it also wouldn't allow raw websocket access to only the backend node. |
Hmm, after doing some research (reading random Reddit comments and looking up interesting things that they talked about), a Diffie–Hellman key exchange might let all of the nodes connect and get one shared secret to verify the token. |
Following best practices from https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.md#token-sidejacking.
Also doesn't send the token with every message, instead storing it in the memory of the backend and only sending it with a dedicated message.