Using token instead of credentials to authenticate admin user #8
Comments
|
Yes I agree that storing admin credentials is not ideal. I think creating a JWT for the user instead could be a good replacement. Are you thinking that the user would create a token with My only concern is that tokens become almost impossible to invalidate. If an attacker gained access to the token the only course of action would be to change the secret used and in the process invalidate every token created, forcing all users to sign in again. Whereas with a username and password, only the password would have to be changed. Of course, a focused token (ie only has access to the session database) is probably better than using admin credentials. I agree though that this does open the doors for API keys which is yet another reason to use this over the built in authentication. |
|
@tyler-johnson sorry for the delay, it was a busy day. As of this PR we have blacklisting tokens sorted :). I'd be inclined to use specific roles. |
|
Ahh yes blacklisting does more or less fix this issue. Okay, I will put together some documentation on how to use JWTs to authenticate with the session database instead of an admin name and password. |
|
Good stuff! On Mon, Feb 22, 2016 at 10:20 PM Tyler Johnson notifications@github.com
|
Admin credentials are necessary if you're using the
couchsession store.In order to avoid exposing those directly, what do you think about allowing the use of a token instead of a username/password? The token could be either one that doesn't expire or one that expires in 3 months or so (up to you) and is treated like an SSL cert that has to be renewed
I guess this opens the door to API keys to applications in a way. :)
What are your thoughts around this?
Cheers,
Darío
The text was updated successfully, but these errors were encountered: