choco
TTCTheo's Typesafe Cult
•Created by Sebi<3 on 1/18/2025 in #questions
how to get a refund? i wanted to use it for claude but this AI cant even read pdfs :(
dont know if they will refund you but for all that you can ask in #t3-chat
4 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
you have to look up in the db when refreshing tokens, or you wont get updated context (updated roles and etc) in jwt token.
i didnt understand your last point a little
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
i am sorry i didnt quite understand the question, english is not my first language
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
yes, the "white list"
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
memory black list will growth really fast
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
if yes, it becomes statefull auth indeed
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
if no, it IS a security concern
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
do you add old refresh token in black list?
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
1)
with black list you have to look up in black list AND in user/token table with each request. With whitelist you have to look up at only database once.
2)
now lets say this scenario occurs:
you are storing 1500 tokens
250 of these tokens leak and the system automatically revokes these refresh tokens.
The blacklist will store 250 tokens.
the question, what will happen if user will generate new refresh token?
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
yes you can say that
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
black list will use more and more memory
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
why would you want to save all 3 refresh tokens in black list when you can just update refresh toekn that is related to uesr once
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
imagine if users refresh token will be leaked 3 times in the row, are you gonna add all 3 refresh tokens in black list
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
no, because refresh token are valid for days/month
you will save in blacklist refresh token until it will expire
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
you are talking about leakage of refresh token right? The only usage of refresh token is to hit refresh tokens endpoint. In that endpoint you check if refresh toekn are matched with refresh which is signed with a user. If refresh token was leaked, you can update users refresh token basically making it useless to generate new tokens.
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
that is why i recommended to learn about security not from blog posts or first search results, they will always say 1:1 what other say. I was a victim once of this myself.
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
i was talking about both. Access token and refresh token.
you do not allow a user to delete account without additional step of security, at minimum you require a password.
again you don`t need to put refresh token in blacklist, you simply update database with a new refresh token
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
assuming that you implemented short, long live tokens, it is practically impossible to cause any real harm to user or to have any time to receive a report and add to deny list access token.
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
not really blacklisting is not for stolen tokens, more like 1) log-out of access token 2) banning user.
stolen refresh token can be easily mitigated by updating database with a new refresh token
76 replies
TTCTheo's Typesafe Cult
•Created by BlueBeka on 12/29/2024 in #questions
Is this a safe use of reading a ref during render?
you use {} in jsx for rendering other jsx and in the process sometimes you do some calculations if you want. Here you use {} to do some logic without returning any jsx
9 replies