Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict capabilities that can be performed through the JWT token [3pt] #7

Closed
luisherranz opened this issue Nov 18, 2020 · 1 comment · Fixed by #16
Closed

Restrict capabilities that can be performed through the JWT token [3pt] #7

luisherranz opened this issue Nov 18, 2020 · 1 comment · Fixed by #16
Projects
Sprint 13

Comments

@luisherranz
Copy link
Member

As per @nicholasio suggestion, we should not store the capabilities and allowed_methods in the JWT and keep them in the code instead. The token should only contain a type, like type=preview. Then, the code should check if type=preview is present and grant the proper capabilities, instead of relying on the information stored in the JWT. That way, no other capabilities can be granted, even if the private keys (SECURE_AUTH_KEY or FRONTITY_JWT_AUTH_KEY) are exposed.

He also suggests that we add a Frontity signature. I guess it could be as simple as generator=frontity because it will be simply used to avoid reading a token that was not generated by us, but that also used SECURE_AUTH_KEY for the private key.

The conversation and full @nicholasio explanation is here: https://community.frontity.org/t/wordpress-preview-support/2419/30?u=luisherranz
@luisherranz
Copy link
Member Author

We have started working on this on this branch, although it is not working yet: https://github.com/frontity/frontity-embedded/tree/restrict-token-capabilities

@SantosGuillamot SantosGuillamot added this to To do in Sprint 13 via automation Mar 18, 2021
@SantosGuillamot SantosGuillamot moved this from To do to In review in Sprint 13 Mar 18, 2021
@SantosGuillamot SantosGuillamot moved this from In review to Backlog in Sprint 13 Mar 18, 2021
@SantosGuillamot SantosGuillamot changed the title Restrict capabilities that can be performed through the JWT token Restrict capabilities that can be performed through the JWT token [3pt] Mar 18, 2021
@SantosGuillamot SantosGuillamot moved this from Backlog to To do in Sprint 13 Apr 6, 2021
@luisherranz luisherranz mentioned this issue Apr 16, 2021
Merged
@luisherranz luisherranz linked a pull request Apr 16, 2021 that will close this issue
Restrict token capabilities #16
Merged
@luisherranz luisherranz moved this from To do to In review in Sprint 13 Apr 16, 2021
Sprint 13 automation moved this from In review to Done Apr 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Sprint 13
  
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Restrict token capabilities frontity/frontity-embedded
1 participant
@luisherranz