#dev 2021-10-24

2021-10-24 UTC
#
[tantek]
https://indieweb.org/wiki/index.php?diff=77582&oldid=77577 makes me think I should construct a few symbolic maps out of my CSS-only hoverable hexagons (like US map, California counties map) and opensource it cc-by
#
[tantek]
and maybe even do a number of bytes comparison
gerben, Seirdy, hendursa1, oodani, kogepan, Loqi, Murray[d], akevinhuang, chenghiz_ and nsh joined the channel
#
capjamesg[d]
Is it safe to store revoked IndieAuth tokens in plain text in a db?
#
capjamesg[d]
I have a revoked_tokens table in my db to keep track of any tokens on which the "revoke" action has been executed.
#
capjamesg[d]
Those tokens cannot be used to do anything; their inclusion in the table makes them useless.
jeremy joined the channel
#
GWG
capjamesg[d]: What do you do with revoked tokens?
#
GWG
Namely... why are you keeping them?
#
[jacky]
that's a method to prevent token replaying IIRC
#
[jacky]
tbh I'm keeping my tokens plain text in my db for now
#
[jacky]
I was thinking about hashing them but the db itself is encrypted (sqlcipher)
#
capjamesg[d]
Exactly [jacky].
#
capjamesg[d]
GWG My tokens use JWT to store the requisite information.
#
capjamesg[d]
Thus, I don't need a DB to store every key, callback url, ect.
#
capjamesg[d]
If I don't track revoked tokens, I have no way of knowing whether a "revoke" action has been submitted against a token.
#
[jacky]
I was thinking about using JWTs (and then PASETO to overcome the weakness of JWTs) but I don't want to share too much info to the client and it makes it a bit easier for me to adjust token permissions from the server without having to update the token used (when I tried doing that with my implementation in Elixir, it altered the _actual_ JWT)
jamietanna joined the channel
#
jamietanna
one way to do it, with JWTs is to have the `jti` (JWT ID) that can then be stored for the revoke, rather than the whole token, which will be larger than the UUID for the JWT ID
#
jamietanna
that's my plan, once I get around to implementing revoke
#
capjamesg[d]
That is a good idea jamietanna.
#
capjamesg[d]
Curious: is something similar implemented in other auth systems that use JWT?
#
capjamesg[d]
[jacky] PASETO?
#
capjamesg[d]
I am going to implement that jamietanna. Thank you!
#
capjamesg[d]
jamietanna++
#
Loqi
jamietanna has 9 karma in this channel over the last year (15 in all channels)
#
capjamesg[d]
Thanks jacky. This looks interesting.
Loqi joined the channel
#
jamietanna
Got some interesting links about it on https://www.jvt.me/tags/paseto/ too :)
#
jamietanna
Yeah I've seen at least one Identity solution do that with their JWTs :)
tetov-irc and Seirdy joined the channel