-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Sign JWTs with the user's password hash
Instead of hardcoding the JWT signing secret in the binary, use each user's password hash as the secret. When the user changes password, the secret will automatically change, thus automatically revoking all existing logins. In addition, these hashes are less guessable (than using a hardcoded string or even a single secret for the entire app), since they are cryptographically secure random strings and different for every user. To validate the token, we now need to fetch the user from the ID stored in the token itself. To make this easier, store the user ID in the token header under the key "kid".
- Loading branch information
Showing
3 changed files
with
66 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters