Topics

Theo's Typesafe Cult•2y ago

Hycord | @ When Replying

Session_ID in JWT

In my app I use JWT so I can verify that the token has not been tampered with, however the only information I store in it is the user's session_id. Nothing else, no user data, just the session id. Should I be just using a cookie or something similar? Thankyou!

46 Replies

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

That's true

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

And I can just encrypt the sessionId with some type of device-specific data to stop the cookie from being stolen, no?

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

- User signs in, server recieves
  - User
  - pass
  - device mac addr or something
- encrypt `${session_id}-${user_mac_address}` and return to client as cookie

- every req to server would contain the user's mac addr or whatever device-specific data and checks whether it matches the encrypted value

- User signs in, server recieves
  - User
  - pass
  - device mac addr or something
- encrypt `${session_id}-${user_mac_address}` and return to client as cookie

- every req to server would contain the user's mac addr or whatever device-specific data and checks whether it matches the encrypted value

is this a way to help prevent a cookie being stolen? I'd be encrypting it just like I encrypt passwords/emails/etc in db

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

That's just the first thing I thought of that's device-specific, is there any way to grab device-specific data reliably?

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

Hmm

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

I actually am using discord oAuth but yeah I hash access and refresh token iirc

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

let me grab my encryption code

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

import { BoringCrypto, SymmetricKey } from "ciphersweet-js";

let brng = new BoringCrypto();
let key = new SymmetricKey(env.ENCRYPTION_KEY);

...

    const hashedAccessToken = await brng.encrypt(access_token, key);
    const hashedRefreshToken = await brng.encrypt(refresh_token, key);

import { BoringCrypto, SymmetricKey } from "ciphersweet-js";

let brng = new BoringCrypto();
let key = new SymmetricKey(env.ENCRYPTION_KEY);

...

    const hashedAccessToken = await brng.encrypt(access_token, key);
    const hashedRefreshToken = await brng.encrypt(refresh_token, key);

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

Ah ok Should I be hashing this data?

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

This app isn't even close to prod so it's not a big deal to add it if it's going to increase security

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

ahhhh That makes sense Encryption is nuked if my env file gets leaked lmao

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

Ok, that makes sense!

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

👍 The only issue Oh wait

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

it doesn't matter if they steal the user's sessionID because we proxy the discord API and cahce results so even if they spam to their hearts content they won't ever abuse discord's API

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

Discord bot dashboard

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

More so on the level of our bot getting banned That was my concern, because even though it's a user's access token, discord links it to the bot so if you give your user their access token and someone steals it to abuse with, then our bot gets flagged and blocked for abuse even though it was the user's access token

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

We need identify email guilds guilds.join guilds.members.read email less so but for later on we want it Currently the email is ignored

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

I use jsonwebtokens (https://npmjs.com/package/jsonwebtokens) presently

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Hycord | @ When Replying•2y ago

https://www.npmjs.com/package/jsonwebtoken

npm

JSON Web Token implementation (symmetric and asymmetric). Latest version: 8.5.1, last published: 4 years ago. Start using jsonwebtoken in your project by running npm i jsonwebtoken. There are 21668 other projects in the npm registry using jsonwebtoken.

Hycord | @ When Replying•2y ago

it doesn't have an s idk why I thought it did

Çağlar•2y ago

I have couldnt find out how to change that output

Hycord | @ When Replying•2y ago

Does this have anything to do with what this thread is about? lmao

Çağlar•2y ago

I thought there is

Hycord | @ When Replying•2y ago

If I'm wrong please correct me

Unknown User•2y ago

Message Not Public

Sign In & Join Server To View

Çağlar•2y ago

Pondwater's first answer is pretty similar that I have asked sorry for bother

Hycord | @ When Replying•2y ago

You're fine, just wasn't sure if it was related to this and I wasn't seeing how

Theo's Typesafe Cult Join

21KMembers

View on Discord

Want results from more Discord servers?

Add your server