GENERATE A RANDOM AUTH TOKEN
class User
before_save :generate_auth_token
def generate_auth_token
loop do
self.auth_token = Devise.friendly_token
break if User.find_by_auth_token(auth_token).nil?
end
end
end
Slide 8
Slide 8 text
PROBLEMS WITH THE SINGLE
AUTH TOKEN APPROACH
Slide 9
Slide 9 text
NAIVE IMPLEMENTATIONS NEVER EXPIRE THEM
Slide 10
Slide 10 text
STORING IT IN PLAIN TEXT
Slide 11
Slide 11 text
ISN’T THAT THE SAME AS
STORING PASSWORDS IN
PLAIN TEXT?
Slide 12
Slide 12 text
NOT QUITE
Slide 13
Slide 13 text
• difficult to change
• used across several services
PASSWORDS
Slide 14
Slide 14 text
• easy to change
• auto-generated, random, unique
• not used across several services
AUTH TOKENS
Slide 15
Slide 15 text
03
SINGLE HASHED AUTH TOKEN
PER USER
Slide 16
Slide 16 text
NOT STORING IT IN PLAIN
TEXT
Slide 17
Slide 17 text
BROWSER
SERVER
EM
AIL=DAM
IR@
EXAM
PLE.COM
&PASSW
ORD=PASS123
AUTH_TOKEN=RAND0M
$TR1N6
EM
AIL=DAM
IR@
EXAM
PLE.COM
&PASSW
ORD=PASS123
MOBILE
AUTH_TOKEN=ANOTHER-RAND0M
$TR1N6
JSON WEB TOKEN
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e
yJpc3MiOiJzY290Y2guaW8iLCJleHAiOjE.
03f329983b86f7d9a9f5fef85305880101d
Slide 51
Slide 51 text
iss: The issuer of the token
sub: The subject of the token
exp: This will define the expiration in NumericDate value.
nbf: Defines the time before which the JWT MUST NOT be accepted for
processing
iat: The time the JWT was issued. Can be used to determine the age of the JWT
BODY CLAIMS
Slide 52
Slide 52 text
08
JWT <> RAILS SESSIONS
Slide 53
Slide 53 text
RAILS SESSIONS ARE
ENCRYPTED
JWT’S ARE SIGNED
Slide 54
Slide 54 text
RAILS SESSIONS CAN’T BE
READ ON THE CLIENT SIDE
JWT’S CAN BE READ ON THE
CLIENT SIDE
Slide 55
Slide 55 text
SECRET INFORMATION IN
JWT’S MUST BE EXPLICITLY
ENCRYPTED
Slide 56
Slide 56 text
09
STATELESS AUTH
Slide 57
Slide 57 text
{ “user_id": 231 }
BODY
Slide 58
Slide 58 text
FORCE LOGOUT
/
ACCOUNT HIJACKING
Slide 59
Slide 59 text
10
REVOCATION
Slide 60
Slide 60 text
HOW DOES DEVISE HANDLE
THIS?
Slide 61
Slide 61 text
INSERT A PART OF THE USERS
PASSWORD HASH INTO THE
PAYLOAD