#dev 2021-10-24
2021-10-24 UTC
# [tantek] https://indieweb.org/wiki/index.php?diff=77582&oldid=77577 makes me think I should construct a few symbolic maps out of my CSS-only hoverable hexagons (like US map, California counties map) and opensource it cc-by
gerben, Seirdy, hendursa1, oodani, kogepan, Loqi, Murray[d], akevinhuang, chenghiz_ and nsh joined the channel
# capjamesg[d] Is it safe to store revoked IndieAuth tokens in plain text in a db?
# capjamesg[d] I have a revoked_tokens table in my db to keep track of any tokens on which the "revoke" action has been executed.
# capjamesg[d] Those tokens cannot be used to do anything; their inclusion in the table makes them useless.
jeremy joined the channel
# capjamesg[d] Exactly [jacky].
# capjamesg[d] GWG My tokens use JWT to store the requisite information.
# capjamesg[d] Thus, I don't need a DB to store every key, callback url, ect.
# capjamesg[d] *etc
# capjamesg[d] If I don't track revoked tokens, I have no way of knowing whether a "revoke" action has been submitted against a token.
# [jacky] I was thinking about using JWTs (and then PASETO to overcome the weakness of JWTs) but I don't want to share too much info to the client and it makes it a bit easier for me to adjust token permissions from the server without having to update the token used (when I tried doing that with my implementation in Elixir, it altered the _actual_ JWT)
jamietanna joined the channel
# jamietanna one way to do it, with JWTs is to have the `jti` (JWT ID) that can then be stored for the revoke, rather than the whole token, which will be larger than the UUID for the JWT ID
# jamietanna that's my plan, once I get around to implementing revoke
# capjamesg[d] That is a good idea jamietanna.
# capjamesg[d] Curious: is something similar implemented in other auth systems that use JWT?
# capjamesg[d] [jacky] PASETO?
# capjamesg[d] I am going to implement that jamietanna. Thank you!
# capjamesg[d] jamietanna++
# capjamesg[d] Thanks jacky. This looks interesting.
Loqi joined the channel
# jamietanna Got some interesting links about it on https://www.jvt.me/tags/paseto/ too :)
# jamietanna Yeah I've seen at least one Identity solution do that with their JWTs :)
tetov-irc and Seirdy joined the channel