Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Persist auth tokens on db #569

Closed
NeonXP opened this Issue Sep 13, 2017 · 5 comments

Comments

Projects
None yet
3 participants
@NeonXP
Copy link

NeonXP commented Sep 13, 2017

Hello. Is it possible to authorise users by tokens (i.e. generated uuid), that stored on DB (dedicated sessions collection or "tokens" field on users collection)? Without JWT, that stores only on client-side.

Pros: You can invalidate user session on server-side (i.e. if user changed password we need to logout him) or from another session ("Logout from other devices" feature)
Cons: Need to check token on every request.

@daffl

This comment has been minimized.

Copy link
Member

daffl commented Sep 27, 2017

Token Blacklisting functionality is being tracked in #73 there is some discussion there but currently you'd still have to implement that yourself manually (with a custom JWT verifier).

@TimNZ

This comment has been minimized.

Copy link

TimNZ commented Jan 17, 2018

I'm trying to follow all the discussions around JWT token revocation.

In the traditional world sessions are tracked in a table, and can be revoked easily and immediately.

How did Featherjs end up with an architecture that doesn't support this?

@daffl

This comment has been minimized.

Copy link
Member

daffl commented Jan 17, 2018

It ended up with that by choosing JWT as the authentication mechanism which has its own advantages and disadvantages. By architecture you still have the option to choose a different authentication mechanism but most "traditional" mechanisms are much more difficult to use when it comes to integrating websockets transparently.

@TimNZ

This comment has been minimized.

Copy link

TimNZ commented Jan 17, 2018

Brainstorming.

Since you guys have done a good job of making a pipeline that can be hooked into at various points, can I create a 'feathers-authentication-session' module that can implement traditional session support e.g. persisted, storing generated JWT tokens, and this is checked first and the JWT refused if it doesn't exist?
I presume failed JWT result in the client SDK's clearing it out from storage?

This should be invisible to clients and achieves what people are expecting?

@TimNZ

This comment has been minimized.

Copy link

TimNZ commented Jan 17, 2018

I am tracing through the authentication module now to bullet point the flow to see if this works and how to do it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.