Open david-morris opened 1 year ago
@david-morris this definitely makes sense in terms of an approach for our customer to be able to generate their own JWT tokens.
Yes! Completely agree with this proposal, especially with the risk posed if a user's HMAC signature were to be compromised.
Currently my work around with my own web application is:
If we could instead BYO our own JWTs and provide Novu with a public key to verify them we would not only have much easier code to maintain with less steps, but also be able to have fine-grained over the security aspects of the authentication as well.
+1 from us. We're currently evaluating Novu and this was one of the first things we identified as potentially blocking our adoption
@james-menzies I'm stealing this idea if the feature gets implemented! We already have JWTs.
We are moving right now parts of the In App Provider configuration to be part of the integration store, where we could provide general configurations in the future such as public key and etc... I will put my self a reminder on this one to review again once we perform the refactoring there
π Feature description
Add an expirable, revokable kind of auth token for the client.
Features on par with
django_auth
are ideal.π€ Why is this feature needed ?
In my use case, I want to send notifications to logged-in users. I don't like HMAC authentication because once a hash is compromised, the attacker can read all of the victim's notifications until the subscriber is deleted.
βοΈ How do you aim to achieve this?
ποΈ Additional Information
It would be nice to be able to avoid an extra roundtrip for login. To do that, an authenticated node/python instance (read: external app server) could share a JWT secret key with the novu server.
Here's how Knock documents the feature I had in mind: https://docs.knock.app/in-app-ui/security-and-authentication#authentication-with-enhanced-security
π Have you spent some time to check if this feature request has been raised before?
π’ Have you read the Code of Conduct?
Are you willing to submit PR?
None
NV-1952