Discuss: Security concerns · lipp/login-with#30

(7 comments) (0 reactions) (0 assignees)JavaScript (2,322 stars) (168 forks)batch import

help wanted

Description

I think it's unsafe to leave sensitive data such as access tokens (in the case of Oauth2 like Google).

If an attacker is able to retrieve a cookie he can easily decode the JWT token and use the access token to issue arbitrary requests to the authentication provider APIs and retrieve any information that might have been originally granted to it by the user (e.g. read my Gmail emails...).

I think the point of this lib is to make this kind of authentication processes stateless (or backendless) and storing the access tokens directly in the cookie is an easy win. Anyway I would at least try to protect this sensitive data by applying some level of encryption, maybe a simple symmetric encryption, using the same secret used to generate the JWT token signature as key would enough...

I look forward to knowing the community thoughts on this matter

Contributor guide

Tech stack: javascriptnodejs
Domain: securityauthentication
Issue type: security
Difficulty: 4
Estimated time: 1-3 hours
Activity status: stale
Clarity: clear
Prerequisites: OAuth2 basicsJWT knowledgeNode.jsencryption concepts
Newbie friendliness: 15
Research direction: Review the login with source code to understand current cookie handling for access tokens. Evaluate symmetric encryption options like AES using the JWT secret as the key. Consider implementing middleware to encrypt/decrypt tokens or modifying cookie serialization. Discuss the performance trade offs and potential integration issues.