Feathers: Restrict authentication by JWT

Created on 29 Aug 2018  路  6Comments  路  Source: feathersjs/feathers

_From @m0dch3n on April 11, 2018 10:30_

If you do

app.authenticate({
  strategy: 'jwt',
  accessToken: 'current access token'
});

You get a new access token every time, with new expiresIn etc, so theoretically, you no longer need the users password to know, because you can simply refresh your token before expiration, by this method.

So if a bad guy steals one of my clients jwt, I'm no longer able to block the user account.

If I blacklist the jwt, I need a database lookup. However if the bad guy already refreshed the jwt, I need to know the whole chain, to block every jwt he generated, so I can't simply block the first stolen jwt...

So I can't blacklist him, nor will the jwt ever expire. The only solution would be, to change my servers secret, however, this would invalidate ALL my others client's session.

So should authentication by jwt not simply verify and return the original jwt, and not generate a new one everyone ?

_Copied from original issue: feathersjs/authentication-jwt#61_

Authentication Breaking Change
Source
picture daffl

Most helpful comment

This has been addressed in v4 authentication which returns the existing JWT instead of creating a new on. See the Migration guide for more information on how to upgrade.

picture daffl on 6 Jun 2019
👍21

All 6 comments

_From @m0dch3n on April 12, 2018 8:57_

Here is a hook, I currently created, to solve the problem

```javascript
const {checkContext} = require('feathers-hooks-common');

module.exports = function () {
return async context => {
checkContext(context, 'after', ['create', 'update', 'patch'], 'jwtAuthentication')
if (context.path === 'authentication' && context.data && context.data.strategy === 'jwt') {
context.result.accessToken = context.data.accessToken
}
return context
}
}
```

daffl picture daffl on 29 Aug 2018
2

I was under the impression that JWT auth will just verify and return the existing token but it appears that it creates a new one, so you are correct. Your hook is definitely the way to go at the moment, I created a similar fix in https://github.com/feathersjs/authentication/pull/664. Unfortunately it will probably have to be a major release since people probably depend on this behaviour.

I am also working on a new version of the authentication library that will be framework independent, support refresh tokens and blacklisting and not have this issue.

daffl picture daffl on 29 Aug 2018
👍1

_From @m0dch3n on April 13, 2018 5:9_

Ok, that would be great!

That would also close the issue which I referenced above.

I said also a few words about an access/refresh pattern there :

https://github.com/feathersjs/authentication/issues/22#issuecomment-380859393

daffl picture daffl on 29 Aug 2018

_From @andysay on April 15, 2018 8:14_

nice!

daffl picture daffl on 29 Aug 2018

_From @ydeshayes on April 15, 2018 13:13_

Do the token expire date is renewed in this case?

daffl picture daffl on 29 Aug 2018

This has been addressed in v4 authentication which returns the existing JWT instead of creating a new on. See the Migration guide for more information on how to upgrade.

daffl picture daffl on 6 Jun 2019
👍21
Was this page helpful?
0 / 5 - 0 ratings

Related issues

harrytang picture harrytang  路  3Comments
eric-burel picture eric-burel  路  3Comments
huytran0605 picture huytran0605  路  3Comments
perminder-klair picture perminder-klair  路  3Comments
arve0 picture arve0  路  4Comments