fastapi-jwt-auth icon indicating copy to clipboard operation
fastapi-jwt-auth copied to clipboard

Published 20 hours ago verified publisher icon IndominusByte

How to use different secrety_key per user (eg to invalidate devices on password-change)

Open lefnire opened this issue 5 years ago • 6 comments

Looks like AuthJWT loads config one time, then sets that secret_key to be used for later fetch via self._get_secret_key()

class Settings(BaseModel):
    authjwt_secret_key: str = SECRET

@AuthJWT.load_config
def get_config():
    return Settings()

A pattern I've seen in tutorials to invalidate other devices after a user changes their password (if they got hacked, or just want to be on the safe side) is this. refresh_token is encoded and decoded using secret_key=f"{SERVER_SECRET}-{user.hashed_password}". Then since the latter is different post password-change, the hacked refresh_token will throw a decode error. I think the same can be done for access_token, but maybe less critical since they can expire quickly?

Anyway, would it be worth consideration to add a custom secret_key per Authorize.jwt_required() call, maybe an argument to that function? Or is there another way about this you can think of, eg adding the hashed password as a claim (is that insecure? I'm thinking it gets double-hashed here?)

lefnire avatar Nov 29 '20 02:11 lefnire

well if you adding a password as a claim is that insecure because the user or attacker can see the raw token in jwt.io, if you consider about double hashed you can use the Asymmetric Algorithm which uses a public-private key to hash the token, and for a custom secret key you can add when you create the token because in protected endpoint function is that dynamic decode token

IndominusByte avatar Nov 30 '20 04:11 IndominusByte

Thanks for the response, I'll scrap the claims idea then & think about Asymmetric.

for a custom secret key you can add when you create the token because in protected endpoint function is that dynamic decode token

I'll chew on this a bit. I think custom key is the right way, so I'll see if there's a solution here.

lefnire avatar Nov 30 '20 18:11 lefnire

maybe in the next version, I'll be considering your idea and do some research about it, thank you 😄🙏

IndominusByte avatar Nov 30 '20 18:11 IndominusByte

Thank you!

lefnire avatar Nov 30 '20 18:11 lefnire

Hey everybody, since I am currently faced with implementing a refresh pattern and how to do it best (Using fastapi-user, maybe fastapi-jwt-auth, other options) I was wondering if this is still being considered or how the status in general is?

florianabel avatar Jul 05 '23 20:07 florianabel

+1

demoh2019 avatar Aug 16 '23 10:08 demoh2019