PostgREST / postgrest

REST API for any Postgres database
https://postgrest.org
MIT License
23.41k stars 1.03k forks source link

fresh DB (no users or tokens created yet), requests with pre-existing token succeed #702

Closed rkoberg closed 8 years ago

rkoberg commented 8 years ago

I have been been rolling back/migrating/seeding often. I create a user with an "admin"-type role that has access to all tables. I rollback the DB and migrate/seed so that there are now no tokens or users present in the DB. If my browser still has a token (from a now nonexistent user), and sends that in the request to a protected resource, the request succeeds. Should that be the case?

Additionally/alternatively, how should you check if a token is still valid in the current version of postgREST? What about the soon :) to be released version? I see https://github.com/begriffs/postgrest/issues/428 but no resolution

ruslantalpa commented 8 years ago

If your request succeeds then it means you used the same secret as before and also the role in the jwt token still exists and has access to that table.

Jwt is just base46, you decode it abd look at the exp field. If there is no such field, the token is valid unless the server changed the secret

rkoberg commented 8 years ago

OK, makes sense.