Answer the question
In order to leave comments, you need to log in
Did I understand correctly how the token works?
I am writing rest api. All users have a unique token. From the mobile application, I send the login and password to the api server. After that, if everything is correct, I give this unique token to the client, and as a spa mobile application, I save it in a document. And I make all requests through this token, I check on the server if it exists, I give the data.
Answer the question
In order to leave comments, you need to log in
Yes. All right.
The only thing I will add is that it is better to send the token in the headers. Moreover, it is desirable, since the authentication mechanism is non-standard, in the X-Authorization
. If you decide to store the token in a cookie and pass it, it should preferably be an http-only cookie (although not necessary in the case of JWT) and the server should be protected from CSRF attacks.
Also, since credentials are essentially roaming the network, it is important to use SSL. Fortunately, today there is lets-encrypt to get certificates for free.
Last but not least, to be safe, use refresh tokens. That is, our unique token that walks in each request will have a lifetime limit (say 5 minutes) and we will use a refresh token to update it. When a refresh token is received, a new pair of token + refresh-token is sent to the client.
Thus, the attacker who intercepted the user's token will have a window of only 5 minutes to do something.
I passed by and, it seems, everything is correct, except for:
From the mobile application, I send the login and password to the api server.Never! Do you hear Carl? NEVER SEND authorization data to the server WITHOUT PRELIMINARY HASHING on the client side with the server key.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question