Scuttlebutt seems really nice, but I have a feeling that for it to become popular it has to be less convoluted and confusing for the potential end-user who's not a technical genius. It makes sense to those of us who deal with this stuff often, but I'm pretty sure I'd have the hardest time trying to explain it to my mom for example.
Oh jesus this is hilarious but also sad. but mostly funny. https://www.mirror.co.uk/news/uk-news/black-friday-shopper-orders-299-21016179
Not sure who needs to hear this but NordVPN is bad people and you shouldn't be using them. Selling of customer data, using Oxylabs, it's all around pretty bad news. It's not worth it. Yes, sorry, it's Medium. (Something else you shouldn't be using btw!) https://news.ycombinator.com/item?id=21664692
What if you used a proxy for your web app to store the tokens, keep all it's state contained and off the client, while providing tokens to people implementing your API that may have better means to store the tokens securely? If you have that kind of access to a device then certainly you could be doing much worse than just steal someone's tokens?
Short expiry time and rotating tokens sound like something you should be doing in either case. If someone grabs your token, then it doesn't matter whether or not it's stateful or not, you'll have to invalidate it either way by either re-signing a new token with, for example, a changed password, or by removing it from your session state. What if you used a short JWT as an HTTP only cookie? 4096 bytes sounds like a lot of data, makes sense to not send such a large token with each request anyway.
Anyone got a minute to explain to me exactly why JWT's are bad? In the browser, yes, if you're vulnerable to XSS, someone could grab your token. But for authenticating against an API? HTTP only cookies would work for the browser app in this case, so should I use stateful tokens to authenticate against my API from something that's not a website as well? I see way too much conflicting info and I don't have the skill to verify cryptographic properties.
I code games and the occasional app, make music, record sounds, and generally exist overwhelmingly.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!