bottle-jwt icon indicating copy to clipboard operation
bottle-jwt copied to clipboard

Published 20 hours ago verified publisher icon agile4you

bottle-jwt isn't stateless

Open oz123 opened this issue 7 years ago • 0 comments

First, thanks for putting bottle-jwt in the open! It really helped me. However, there is one thing which I think might be improved.

JWTs are a great authentication mechanism. They give you a structured and stateless way to declare a user and what they can access. They can be cryptographically signed and encrypted to prevent tampering on the client side.

From https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage.

In this plugin's code it is not the case. Suppose I want to store my user info in some kind of persistent storage, then I implement a custom backend which saves the info to let's say MongoDB.

Every time the plugin validates the token it calls:

user = self.backend.get_user(...)

Which calls the database. This isn't stateless, and further. It retrieves information which should already found in the token itself.

IMHO user = self.backend.get_user(...) should only be called in create_token and validate should only validate with jwt.decode

oz123 avatar Nov 16 '17 06:11 oz123