The Ansopedia User Service is a backend service responsible for managing user accounts and authentication within the Ansopedia learning platform. It provides functionalities like authentication & authorization, profile management.
Description:
Currently, the JWT token used for authentication contains encoded data that can be viewed using tools like jwt.io. While JWT encoding is secure for verifying authenticity, it does not protect the actual content of the token. To ensure that sensitive information is not exposed, the JWT token should be encrypted so that the data cannot be viewed by unauthorized parties.
Tasks:
1. Research Encryption Methods:
Investigate and choose a suitable encryption algorithm for JWT tokens (e.g., AES, RSA).
Ensure compatibility with the existing authentication system and libraries being used.
2. Implement JWT Encryption:
Encrypt the JWT payload using the selected encryption algorithm.
Ensure that both access and refresh tokens are encrypted.
Update token generation logic to include encryption steps.
3. Update Token Verification Logic:
Modify the token verification process to first decrypt the token before verifying its signature.
Ensure that decryption happens correctly and does not interfere with existing authentication flows.
4. Handle Key Management:
Implement secure key management for encryption and decryption keys.
Consider using environment variables or secure storage for key management.
5. Test Encrypted JWT Tokens:
Verify that encrypted JWT tokens work correctly across all authentication and authorization processes.
Ensure that encrypted tokens are correctly decrypted and validated during the authentication process.
Test across various environments to ensure compatibility and security.
6. Update Documentation:
Document the encryption approach, including the encryption method and key management.
Provide instructions for developers on how to work with encrypted tokens.
Acceptance Criteria:
JWT tokens are encrypted and no longer expose readable data.
Encrypted tokens can be successfully decrypted and validated during authentication.
Key management is securely implemented.
All tests related to token generation and verification pass successfully.
Issue: Encrypt JWT Token
Description: Currently, the JWT token used for authentication contains encoded data that can be viewed using tools like jwt.io. While JWT encoding is secure for verifying authenticity, it does not protect the actual content of the token. To ensure that sensitive information is not exposed, the JWT token should be encrypted so that the data cannot be viewed by unauthorized parties.
Tasks:
1. Research Encryption Methods:
2. Implement JWT Encryption:
3. Update Token Verification Logic:
4. Handle Key Management:
5. Test Encrypted JWT Tokens:
6. Update Documentation:
Acceptance Criteria: