Rework auth to use jwts #2087
Merged
Rework auth to use jwts #2087
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
evansdianga
commented
Apr 29, 2020
| // return next(); | ||
| if (req.isAuthenticated()) { | ||
| return next(); | ||
| const token = req.headers.authorization; |
There was a problem hiding this comment.
Allow for both authorization header and cookie. Ensure cookie is for the same sub-domain.
…at session validity is checked on Appcomponent init
rjcorwin
reviewed
May 7, 2020
| const jwt = require('jsonwebtoken'); | ||
| const expiresIn ='5 minutes'; | ||
| const issuer = 'Tangerine'; | ||
| const jwtTokenSecret = require('crypto').randomBytes(256).toString('base64'); |
There was a problem hiding this comment.
@evansdianga This looks similar to the approach laid out here. Was there another article that you found that talked about this approach?
There was a problem hiding this comment.
Hey @rjsteinert , most approaches coalesced around using a 256 bit cryptographically secure hashes. There is a link in the PR description which links to a discussion on the hapi.js repo as they used a similar approach. The discussion there also lists quite a number of links and gives further info on the approach.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Type of Change
Proposed Solution
Use signed JWTs for authentication.
Server cryptographically signs the JWT and send to client. Client stores the JWT and attaches it to every request. The
Angularclient uses theHTTPInterceptorto attach the token to the request and also to confirm the status of the response of each request.Whenever the server responds with an unauthorized
401status, the client automatically logs out the user and requires a new session to be initiated through a new login.The JWT signing Options are configurable using environment variables.
We make use of the
jsonwebtokenlibrary for the server andjwt-decodelibrary for the client side which enable us decode the encoded JWT to get the response properties.This PR also adds the
rxjs-compatlibrary to enable userxjsWarn user when session is about to end due to inactivity. The current default time is to check every 10 minutes and warn the user if the session duration left is less than 15 minutes
The secret key for signing JWTs is generated using the
cryptomodule inNodeJS. Theres a good conversation here dwyl/hapi-auth-jwt2#48 Initially added a string as JWT key for proof of concept. This is now replaced by the string generated by the crypto lib