steveyash
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
possibly. you'd just need enough information to invalidate the JWT.
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
xss is just one possible vulnerability
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
user enters their username / password again
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
Handling expired refresh tokens depends on your business rules. For some use cases (such as banks, for example), you may not allow the refresh token to be renewed. But in other cases, the refresh tokens can be renewed.
76 replies
TTCTheo's Typesafe Cult
•Created by Jimmy Page on 12/27/2024 in #questions
JWT with long-lived Refresh Tokens
Using a refresh token and an access token provides a good mix of security, revocability and performance without adding significant amounts of complexity. Think of the typical lifecycle:
1. User logs in - is granted a refresh token.
2. User calls some APIs, does some things - they would use a short lived access token.
3. Someone hacks both the access token and refresh token
Revocation:
the access token could be allowed to expire, or a small kv-db or cache could be used to revoke it. Problem solved for the access token, but not yet the refresh token.
Since you are rarely touching the refresh token, it can be less optimized - keep a token id in the JWT refresh token and mark it revoked at the database. It shouldn't have a huge performance penalty because the refresh tokens are rarely used.
The best part is since access tokens are very unlikely to be revoked, the amount of storage required to store if an access token is revoked is negligible.
Performance:
There will always be fewer access tokens than refresh tokens. They expire fast, so do not need to be persisted long term. It's really easy to optimize them to use redis or another lightning fast store.
Obviously, if somoene gets a hold of an access token or refresh token, it takes moments to destroy somoene's account. Thus for destructive actions, it's anyways a good idea to re-authenticate the user.
76 replies
TTCTheo's Typesafe Cult
•Created by I'm Not An Engineer on 12/28/2024 in #questions
Are Serverless functions the right thing for me?
GH pages is just a static host. Use S3 or literally anything else - even your own hard drive.
24 replies
TTCTheo's Typesafe Cult
•Created by I'm Not An Engineer on 12/28/2024 in #questions
Are Serverless functions the right thing for me?
@I'm Not An Engineer Weird idea - why not run everything locally and build to static files? Moreover, if you are the only one adding content, you might be able to get by with Jekyll or smtn and host on GH pages :).
24 replies