search

centrifugal / centrifugo

Scalable real-time messaging server in a language-agnostic way. Self-hosted alternative to Pubnub, Pusher, Ably. Set up once and forever.
https://centrifugal.dev
Apache License 2.0
8.11k stars 580 forks source link

[feature] Add support for PASETO tokens #586

Open BusterNeece opened 1 year ago

BusterNeece commented 1 year ago

JWT tokens have long been considered too permissive for their own good, in a way that often exposes them to insecurities in regular web application use. Many infosec researchers have started suggesting against their use as a result.

A project that has sprung up and is very popular (especially in the PHP world) is the PASETO, or Platform Agnostic SEcurity TOken. It has all of the portability of JWT tokens, but with strictly defined encryption standards that ensure they are always used safely.

More information and supporting libraries are available here: https://paseto.io/

Worthy of note is that there are two Golang libraries offering wide compatibility with the modern generation of PASETO tokens.

It would be excellent to see this supported for client authentication in Centrifugo, as it would absolutely be the type of token that I would be implementing in any application that required secure authenticating tokens.

FZambia commented 1 year ago

@BusterNeece hello! In general Paseto tokens seem nice, I've read about them before. Though before implementing them in Centrifugo I'd like to collect better understanding whether this is useful for wider audience, for other Centrifugo users. You mentioned Paseto is popular in PHP ecosystem. Could you elaborate more on this - why do you think so, do you know any popular projects which use them?

francislavoie commented 1 year ago

I'm not using Centrifugo yet, but I'm considering it for an upcoming project, reading the docs, etc.

I also came here wondering if any work had been done on adding PASETO support. I don't have any trust in JWT due to the bevy of vulnerabilities that have occurred in the past few years. Sample: https://www.howmanydayssinceajwtalgnonevuln.com/ (sourced from https://github.com/zofrex/howmanydayssinceajwtalgnonevuln/blob/deploy/data/vulns.yml)

HeCorr commented 1 year ago

I would also definitely use PASETO over JWT on any project, and if that project also made use of Centrifugo it would be great to not have to support JWT as well.

artemsiberiangit commented 8 months ago

I agree, I would like to see Paseto