You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As per @nicholasio suggestion, we should not store the capabilities and allowed_methods in the JWT and keep them in the code instead. The token should only contain a type, like type=preview. Then, the code should check if type=preview is present and grant the proper capabilities, instead of relying on the information stored in the JWT. That way, no other capabilities can be granted, even if the private keys (SECURE_AUTH_KEY or FRONTITY_JWT_AUTH_KEY) are exposed.
He also suggests that we add a Frontity signature. I guess it could be as simple as generator=frontity because it will be simply used to avoid reading a token that was not generated by us, but that also used SECURE_AUTH_KEY for the private key.
SantosGuillamot
changed the title
Restrict capabilities that can be performed through the JWT token
Restrict capabilities that can be performed through the JWT token [3pt]
Mar 18, 2021
As per @nicholasio suggestion, we should not store the
capabilities
andallowed_methods
in the JWT and keep them in the code instead. The token should only contain a type, liketype=preview
. Then, the code should check iftype=preview
is present and grant the proper capabilities, instead of relying on the information stored in the JWT. That way, no other capabilities can be granted, even if the private keys (SECURE_AUTH_KEY
orFRONTITY_JWT_AUTH_KEY
) are exposed.He also suggests that we add a Frontity signature. I guess it could be as simple as
generator=frontity
because it will be simply used to avoid reading a token that was not generated by us, but that also usedSECURE_AUTH_KEY
for the private key.The conversation and full @nicholasio explanation is here: https://community.frontity.org/t/wordpress-preview-support/2419/30?u=luisherranz
The text was updated successfully, but these errors were encountered: