Use @adobe/jwt-auth 0.3.0 or greater

macdonst commented 4 years ago

Description

I recently released @adobe/jwt-auth 0.3.0 which expires the temporary JWT it creates after 5 minutes. This is a security improvement I hope everyone move to.

Motivation and Context

The JWT token was valid for 24 hours but since we create the bearer token shortly after creating the JWT and the JWT is never re-used it should expire quickly.

How Has This Been Tested?

Generated an auth token, grabbed the JWT and tried to use it after 5 minutes elapsed time. It was rejected.

Screenshots (if appropriate):

Types of changes

[x] Bug fix (non-breaking change which fixes an issue)
[ ] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

[x] I have signed the Adobe Open Source CLA.
[x] My code follows the code style of this project.
[ ] My change requires a change to the documentation.
[ ] I have updated the documentation accordingly.
[x] I have read the CONTRIBUTING document.
[ ] I have added tests to cover my changes.
[x] All new and existing tests passed.

Aaronius commented 4 years ago

Thanks @macdonst!

macdonst commented 4 years ago

@Aaronius np, I did a scan of what repos were using the package so I could let folks know about the change. You may want to setup https://greenkeeper.io/ on the repo which will automatically scan for new versions of dependencies and send you PR's when things change. It's installed for all of the adobe org projects.

adobe / reactor-uploader