Code Monkey home page Code Monkey logo

Comments (4)

Mecanik avatar Mecanik commented on July 20, 2024 1

Just a quick note on the above... I've noticed why the SALT is included in the token (

production-saas/src/lib/models/user.ts

Line 236 in e73917a

if (!user || payload.salt !== user.salt) {
) and I understand the idea... but I don't think I have seen any app, ever, publicly showing the SALT of a password.

Need another solution to replace that line.

from production-saas.

lukeed avatar lukeed commented on July 20, 2024 1

Email/uid and salt should be the only things contained in the JWT payload. One piece of public identifiable info (immutable) and a “salt” that is a psssword stand in. When a password is changed, so is salt so that all existing JWTs are immediately invalidated.

from production-saas.

Mecanik avatar Mecanik commented on July 20, 2024

Email/uid and salt should be the only things contained in the JWT payload. One piece of public identifiable info (immutable) and a “salt” that is a psssword stand in. When a password is changed, so is salt so that all existing JWTs are immediately invalidated.

As it stands, everything from User object is included; even the password. Fairly easy to brute force it since we also have the SALT.

On another note, I've checked many JWT aware apps including Netlify, none of them include SALT in the JWT. For the condition payload.salt !== user.salt I'm thinking of an alternative and testing.

from production-saas.

lukeed avatar lukeed commented on July 20, 2024

A “salt” alike is the way to go.

I don’t work at CF anymore. Feel free to open a PR to fix the User object inclusion.

from production-saas.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.