Fork me on GitHub
#yada
<
2017-03-23
>
frozenlock05:03:16

Where is :content-security-policy expected?

frozenlock05:03:42

At which level in the resource map?

snorremd07:03:07

Example:

{:methods
                        {:post ...}

        :access-control {:scheme "Basic", ...}
        :logger         (fn [ctx] (logging/info "Received request for ..."))}

snorremd07:03:57

The phonebook example in the Yada repository demonstrates the use of the "Basic" access-control scheme. https://github.com/juxt/yada/blob/master/examples/phonebook/src/phonebook/resources.clj#L16

snorremd07:03:08

Note however that the phonebook example uses a more complete structure with a realm name as well as a vector of authentication schemes: {:realm "your realm" :authentication-schemes [{:scheme "Basic"}]}. Unless you want to support multiple authentication schemes you may simply specify a map with the :scheme and :verify key value pairs. It at least seems to work for me.

malcolmsparks08:03:47

This is the article on authentication (basic, form-based/cookie, jwt) that I've had in draft for a while and will be the next to be published

malcolmsparks08:03:24

The reason it requires the access token to access it is because it's still not quite ready for publication - any feedback gratefully received

stijn09:03:14

@malcolmsparks good article. As you already said yourself, there are some problems with JWT (http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/), even if you put an expiry date in the token. you cannot lock out a user before the expiry date.

stijn09:03:36

we are still using a durable session store because of that

stijn09:03:32

and then you can just as well use cookies without JWT I guess

malcolmsparks09:03:11

@stijn I'm not so against JWT as the author in the article - I quite like it that you can make some claims, and protect them against tampering - that allows you to have state in the cookies which you can trust. Of course, if you want to expire them, you can always do that on the server-side by checking a black-list etc. But the advantage of JWT is that you can get going reasonably quickly without building a stateful session database - I think that's the core advantage. Any time you have a database, you have more things that can go wrong

malcolmsparks09:03:10

I think it really depends on your system. But I think the article would do well to have a link to that anti-JWT article too - just so people can make their own minds up

stijn09:03:20

@malcolmsparks I agree, a session store adds quite some complexity. Blacklisting really is the same though as storing the session. I just don't see any other way to go about securing your application when it should be possible to revoke access rights or degrade/upgrade roles

stijn09:03:57

it's the same with cookies though, any client side state you put in there, you can use it to replay requests

stijn09:03:26

and if you don't encrypt your cookie it only gets worse 🙂

jeroenvandijk09:03:11

If you are interested in a class of sessions/tokens, instead of one specific one, it is not that hard to invalidate. You could do this by changing the signature for instance. We do not use JWT for this, but we have do have a construction similar to this, and it helps us scale

dominicm09:03:13

JWT is designed to be stateless. If you're not using it that way, aren't you essentially just using signed cookies?

jeroenvandijk09:03:32

@dominicm I think that’s true. I guess the main difference is that you can also use it in places where you can’t use cookies, e.g. as a url parameter

dominicm09:03:46

@jeroenvandijk: Maybe I should have used the term signed sessions…

dominicm09:03:31

JWS is somewhat my preferred "stateful signed session" atm. Which can go anywhere that JWT can.

jeroenvandijk09:03:20

I think everyone has a point here. I just don’t like articles that say “stop X” as there are valid use cases for all of the approaches

lmergen09:03:26

it does make it difficult to correctly implement things like a 'password reset', though, and automatically log out all other sessions

lmergen09:03:39

what we do is keep track of invalidated sessions

lmergen09:03:18

which really defeats the point of a decentralised token management

dominicm09:03:50

@jeroenvandijk The article is perhaps a little angry & sensationalist. But I think he backs up all his points with reasoning.

jeroenvandijk09:03:19

I have had too many arguments with people that read articles like this, take it very seriously and trying to argue with me I’m doing something wrong. But other than that it is kind of funny 🙂

jeroenvandijk09:03:56

I think what is missing is context

dominicm09:03:14

@jeroenvandijk No doubt I'd change my mind about this kind of article after encountering a few people like that 😛.

dominicm10:03:11

I get the impression by "session," he's talking about sites that are: Consumer facing, Log in & modify stuff with auth.

malcolmsparks10:03:38

For the purposes of the authentication article, I think it's useful to show people how to read/write JWT cookies, rather than take an opinion on whether it's a good thing to do. The problem is, I don't want to take the reader through the setup of a database, just so I can show them how to do auth in yada

dominicm10:03:43

@jeroenvandijk out of interest, what is your use case where the trade-offs of JWT don't apply?

jeroenvandijk10:03:10

@dominicm I work on a realtime bidding platform, which has a really high scale and certain constraints. Because of the scale it makes sense to use a JWT like concept (custom approach but basically the same) instead of server sessions. The constraints don’t allow use to use cookies or local storage. We have to put data on arbitrary places. Not sure if you get the picture just from this

jeroenvandijk10:03:42

That said, we might still start to use server sessions (via a keyvalue store), but I wouldn’t say that this is easier or better (at our scale)

dominicm10:03:44

@jeroenvandijk Sounds pretty much right for JWT. Those constraints put you into that position more or less.

dominicm10:03:13

It's interesting that JWT is easy to start. And necessary at high scale. I'd say that in the middle you want something closer to server-side sessions.

jeroenvandijk10:03:23

The only reason I see (now) to move to server-side sessions is to be able to store more data and have lower bandwidth usage

jeroenvandijk10:03:26

Note that I’m just speaking for our use case. It might be less valid for the use case you were talking about

malcolmsparks19:03:26

Yes. I've come across corps that can't use GPL because they don't want to enter into the terms of that license agreement. But LGPL allows redistribution.

malcolmsparks19:03:12

yada is not EPL. The main reason is to allow redistribution in GPL products