JWT Token

[alesinicio]

Nowhere in the documentation you tell exactly how to send the JWT for authentication. Digging the code, it looks like an "Authorization" header is expected in the GET request. Is that correct? Also, just to clarify, you don't perform any kind of payload validation on the JWT, there is a simple hash validation, right?

[Roverr]

Hi @alesinicio ,

Thanks for opening this issue!

Your concern is fair, it is not properly described how you should use the system with JWT. Of course now you know, that it is the standard Authorization: Bearer {token} but this should be described.

On your second question yes, it is a simple hash validation. I was thinking in implementing some kind of a payload validation but did not come up with a solution because at that point the service is trading flexibility for security while also introducing more complexity in integration. However, this is a topic I would like to take a deeper look once I have more time.

[alesinicio]

Thanks for the feedback!

As a suggestion for the hash validation, maybe you could check the existence of a fixed-name bash script (or python, or whatever seems the most widely adopted) on a specific directory. If the script exists, the token is passed to it for validation. If not, you fallback to the simple hash validation.

The script would obviously be provided by the user via a docker volume, thus retaining full flexibility (works like an user-provided extension).