keychain icon indicating copy to clipboard operation
keychain copied to clipboard

Published 20 hours ago verified publisher icon ml-archive

Add signer warning

Open steffendsommer opened this issue 8 years ago • 2 comments

Consider adding warning in README to use different signers for different environments. Alternatively add environment identifier payload in JWT to make them incompatible between environments.

steffendsommer avatar Oct 03 '17 11:10 steffendsommer

@steffendsommer what exactly are the dangers of not doing this?

  • forgetting to switch environment in Postman and making permanent changes in the production environment?
  • is it generally easier for non-trusted parties to intercept a non-production environment?

siemensikkema avatar Nov 29 '17 13:11 siemensikkema

Not doing this made us spend quite some time debugging something together with the mobile team where it was all caused by shared auth tokens. Not having the same user table across environments can lead some pretty weird cases where you're able to login, but using a different user. Considering that and looking at it from a principle standpoint I think it makes sense to advice against doing this.

steffendsommer avatar Nov 30 '17 13:11 steffendsommer