Show more

What if you used a proxy for your web app to store the tokens, keep all it's state contained and off the client, while providing tokens to people implementing your API that may have better means to store the tokens securely? If you have that kind of access to a device then certainly you could be doing much worse than just steal someone's tokens?

Short expiry time and rotating tokens sound like something you should be doing in either case. If someone grabs your token, then it doesn't matter whether or not it's stateful or not, you'll have to invalidate it either way by either re-signing a new token with, for example, a changed password, or by removing it from your session state. What if you used a short JWT as an HTTP only cookie? 4096 bytes sounds like a lot of data, makes sense to not send such a large token with each request anyway.

Anyone got a minute to explain to me exactly why JWT's are bad? In the browser, yes, if you're vulnerable to XSS, someone could grab your token. But for authenticating against an API? HTTP only cookies would work for the browser app in this case, so should I use stateful tokens to authenticate against my API from something that's not a website as well? I see way too much conflicting info and I don't have the skill to verify cryptographic properties.

This gigabit Internet really can’t start existing fast enough in this house. Me excited.

Beep? Boop? My Nginx and Redis totally died and I didn't realize. :(

@quad Oh man. I gave up trying to self-host my own mail because I was constantly running after people keeping blacklists up to date. Somehow, even though all my records were fine and everything resolved how it should, I still kept getting on those. Not sure if I was doing something wrong but eventually I just got tired of constantly trying to tell people that I don't send spam and that security was in place to prevent that from happening. :(

Seriously? You can't install things from the M$ Store without a M$ account anymore? That's so unbelievably lame you have no idea. I'm also not in the least bit surprised.

I mean apart from wave, obviously. I wouldn't have a problem with that. But it's huge.

Why can't all browsers just be able to play opus? Why does MP3 have to be that one format that seems to work across all browsers? This makes me sad.

@Mayana @pitermach oh I am not afraid. Not afraid at all. My dignity shall not perish!

@pitermach @Mayana You can probably imagine my confusion after reading this completely out of context as a notification on my phone. You made my day.

Tradition is just peer pressure from dead people...

Someone tell me why I can't stop reading the way of the shaman series? Please?

I should make an account that is purely for complaining about accessibility.

And there goes Signal with their accessibility. Seriously. Ugh. Just ugh.

Show more
The Dragon's Cave

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!