#dev 2021-10-24

2021-10-24 UTC
# 02:33 
[tantek] https://indieweb.org/wiki/index.php?diff=77582&oldid=77577 makes me think I should construct a few symbolic maps out of my CSS-only hoverable hexagons (like US map, California counties map) and opensource it cc-by
# 02:33 
[tantek] and maybe even do a number of bytes comparison
gerben, Seirdy, hendursa1, oodani, kogepan, Loqi, Murray[d], akevinhuang, chenghiz_ and nsh joined the channel
# 16:45 
capjamesg[d] Is it safe to store revoked IndieAuth tokens in plain text in a db?
# 16:45 
capjamesg[d] I have a revoked_tokens table in my db to keep track of any tokens on which the "revoke" action has been executed.
# 16:46 
capjamesg[d] Those tokens cannot be used to do anything; their inclusion in the table makes them useless.
jeremy joined the channel
# 17:00 
GWG capjamesg[d]: What do you do with revoked tokens?
# 17:00 
GWG Namely... why are you keeping them?
# 17:05 
[jacky] that's a method to prevent token replaying IIRC
# 17:05 
[jacky] tbh I'm keeping my tokens plain text in my db for now
# 17:05 
[jacky] I was thinking about hashing them but the db itself is encrypted (sqlcipher)
# 17:09 
capjamesg[d] Exactly [jacky].
# 17:09 
capjamesg[d] GWG My tokens use JWT to store the requisite information.
# 17:10 
capjamesg[d] Thus, I don't need a DB to store every key, callback url, ect.
# 17:10 
capjamesg[d] *etc
# 17:10 
capjamesg[d] If I don't track revoked tokens, I have no way of knowing whether a "revoke" action has been submitted against a token.
# 17:15 
GWG Oh
# 17:25 
[jacky] I was thinking about using JWTs (and then PASETO to overcome the weakness of JWTs) but I don't want to share too much info to the client and it makes it a bit easier for me to adjust token permissions from the server without having to update the token used (when I tried doing that with my implementation in Elixir, it altered the _actual_ JWT)
jamietanna joined the channel
# 17:49 
jamietanna one way to do it, with JWTs is to have the `jti` (JWT ID) that can then be stored for the revoke, rather than the whole token, which will be larger than the UUID for the JWT ID
# 17:49 
jamietanna that's my plan, once I get around to implementing revoke
# 17:54 
capjamesg[d] That is a good idea jamietanna.
# 17:54 
capjamesg[d] Curious: is something similar implemented in other auth systems that use JWT?
# 17:54 
capjamesg[d] [jacky] PASETO?
# 17:55 
capjamesg[d] I am going to implement that jamietanna. Thank you!
# 17:55 
[jacky] https://paseto.io/
# 17:55 
capjamesg[d] jamietanna++
# 17:55 
Loqi jamietanna has 9 karma in this channel over the last year (15 in all channels)
# 17:56 
capjamesg[d] Thanks jacky. This looks interesting.
Loqi joined the channel
# 20:05 
jamietanna Got some interesting links about it on https://www.jvt.me/tags/paseto/ too :)
# 20:06 
jamietanna Yeah I've seen at least one Identity solution do that with their JWTs :)
tetov-irc and Seirdy joined the channel