[NV-1952] 🚀 Feature: Revokable Client Auth Tokens

[david-morris]

🔖 Feature description

Add an expirable, revokable kind of auth token for the client.

Features on par with django_auth are ideal.

🎤 Why is this feature needed ?

In my use case, I want to send notifications to logged-in users. I don't like HMAC authentication because once a hash is compromised, the attacker can read all of the victim's notifications until the subscriber is deleted.

✌️ How do you aim to achieve this?

• [ ] Add JWTs with a signed expiry and issue date as an alternative to HMAC authentication.
• [ ] Add "expire this subscriber" to the App-ID API.
• [ ] Add "share JWT private key" to the App-ID API.
• [ ] Document how to set up the JWT

🔄️ Additional Information

It would be nice to be able to avoid an extra roundtrip for login. To do that, an authenticated node/python instance (read: external app server) could share a JWT secret key with the novu server.

Here's how Knock documents the feature I had in mind: https://docs.knock.app/in-app-ui/security-and-authentication#authentication-with-enhanced-security

👀 Have you spent some time to check if this feature request has been raised before?

• [X] I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• [X] I have read the Contributing Guidelines

Are you willing to submit PR?

None

_NV-1952

[scopsy]

@david-morris this definitely makes sense in terms of an approach for our customer to be able to generate their own JWT tokens.

[james-menzies]

Yes! Completely agree with this proposal, especially with the risk posed if a user's HMAC signature were to be compromised.

Currently my work around with my own web application is:

1. User signs in on my app's client.
2. Backend provides JWT for the main app, and an HMAC signature for Novu.
3. Client authenticates with Novu via the widget API using the HMAC signature, and gets another JWT.

If we could instead BYO our own JWTs and provide Novu with a public key to verify them we would not only have much easier code to maintain with less steps, but also be able to have fine-grained over the security aspects of the authentication as well.

[WonderPanda]

+1 from us. We're currently evaluating Novu and this was one of the first things we identified as potentially blocking our adoption

[david-morris]

@james-menzies I'm stealing this idea if the feature gets implemented! We already have JWTs.

[scopsy]

We are moving right now parts of the In App Provider configuration to be part of the integration store, where we could provide general configurations in the future such as public key and etc... I will put my self a reminder on this one to review again once we perform the refactoring there