search

djoos / EscapeWSSEAuthenticationBundle

Symfony bundle to implement WSSE authentication
http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html
137 stars 59 forks source link

Reuse a token for a specific lifetime #33

Closed Fraktl closed 10 years ago

Fraktl commented 10 years ago

Right now I've successfully setup my WSSE Authentication using your bundle. I get a token from

POST /security/create_token.json with the username and password sent over SLL

This returns a X-WSSE header which I use in my AngularJS application.

Using that X-WSSE header I can now do a

GET /api/v1/friends with the X-WSSE header I just received in the request header

The problem is that for every request I have to do I have to ask a new token from the /security/create_token.json service which causes a lot of overhead.

Isn't there a way to reuse the successfully created token I had the first time until I invalidate it by going to /security/destroy_token.json or by a lifetime settings in security.yml?

I'd like a similar functionality like OAuth where you generate a token and you can use that token for for example 60 days or until you manually invalidate the token.

I already have a mechanism in AngularJS where I send the X-WSSE header with every request but the problem is that I get a "previously used nonce detected" error if I try to reuse the token for a follow up request.

Any suggestions @djoos ?

Fraktl commented 10 years ago

@djoos Right now I'm storing the an encrypted token in the HTML5 local database using AngularJS. And sending it over with every request. When the user signs out I put an invalid token in the db and this will trigger an 401 on the api. Not an ideal solution but it works for now.

djoos commented 10 years ago

Hi @Fraktl,

sorry for the late response!

How do you currently generate the digest? What exactly does the create_token do for you?

Would you be able to shed some more light on your current usage and eventual goal?

Thanks in advance for your feedback! David

djoos commented 10 years ago

Hi @Fraktl,

instead of requesting a token prior to every call, can't you use the user's credentials (password/API token on user account plus a salt) to generate the digest immediately?

I'll close this issue for now, as AFAIK this shouldn't be a problem, but don't hesitate to get in touch if you run into issues!

Kind regards, David