kazhuravlev
commented
6 years ago how about JWT? all user information can store in jwt, xsrf tokens store in boltdb.
Closed umputun closed 6 years ago
kazhuravlev
commented
6 years ago how about JWT? all user information can store in jwt, xsrf tokens store in boltdb.
umputun
commented
6 years ago I think with jwt there is no need to store xsrf token locally, can be part of the claim. This way all user info will be "packed" in the cookie as jwt token and won't be stored on the server side at all.
The concern I have about this - potential privacy impact. Instead of meaningless session ID, we will store a bunch of fields in this token - at least username, user id, and avatar URL on the browser side. Personally, I don't think this is the real issue, but some users may be more sensitive to such kind of things. Another concern - revocation is hard with JWT. And to do it right we will need separate auth token and refresh token.
the bottom line - I'm not sure using JWT for this service is the right thing to do.
umputun
commented
6 years ago @Menelion it doesn't solve any JWT problems described above. In addition, using such exotic thing will prevent us from using third-party JWT services. "More secure" part is not really that convincing to me, as it mostly addresses possible misuse of JWT.
umputun
commented
6 years ago changed my mind, switched to jwt
Menelion
Probably a good idea. I don't like a bunch of
.sessionfiles stored around.This package https://github.com/yosssi/boltstore can be the one we need.