lipp/login-with

Discuss: Security concerns

Open

#30 aperta il 6 lug 2017

Vedi su GitHub
 (7 commenti) (0 reazioni) (0 assegnatari)JavaScript (168 fork)batch import
help wanted

Metriche repository

Star
 (2322 star)
Metriche merge PR
 (Nessuna PR mergiata in 30 g)

Descrizione

I think it's unsafe to leave sensitive data such as access tokens (in the case of Oauth2 like Google).

If an attacker is able to retrieve a cookie he can easily decode the JWT token and use the access token to issue arbitrary requests to the authentication provider APIs and retrieve any information that might have been originally granted to it by the user (e.g. read my Gmail emails...).

I think the point of this lib is to make this kind of authentication processes stateless (or backendless) and storing the access tokens directly in the cookie is an easy win. Anyway I would at least try to protect this sensitive data by applying some level of encryption, maybe a simple symmetric encryption, using the same secret used to generate the JWT token signature as key would enough...

I look forward to knowing the community thoughts on this matter

Guida contributor