| ▲ | vjay15 2 days ago | |
no this is just a POC, I haven't implemented any of it | ||
| ▲ | codingjoe 2 days ago | parent [-] | |
Ok, then for everyone. Don't save tokens in a database. Selects are vulnerable to timing attacks. You want a token to include a id and a signature. The ID is used to look up the scope or user attached to the token, while the signature is recreated from the ID, the server secret and some salt. The resulting signature is double checked with the provided signature with a time constant comparison. An attacker will be able to identify valid keys, but won't be able to sign them. You can either split the values like aws or join them with a separator. Good idea with the slug though, makes it easier to report leaked tokens to the issuer. | ||