Open kumar303 opened 8 years ago
Note that this only applies to API key based JWTs since each token is generated for a single request. In other words, the frontend session JWTs can be used repeatedly so nonce restrictions should not be enforced there.
I don't have time to work on this right now. Feel free to assign yourself!
API JWTs must send a
jti
(ID/nonce), as documented, but currently the server is not using this to prevent replay attacks. Let's do it.Originally filed as https://bugzilla.mozilla.org/show_bug.cgi?id=1213354
┆Issue is synchronized with this Jira Task