How to come up with your bike for tokens?


Warning: count(): Parameter must be an array or an object that implements Countable in /home/styllloz/public_html/qa-theme/donut-theme/qa-donut-layer.php on line 274
0 like 0 dislike
21 views
There is a task to implement the results of the token authentication.
The server side is a bunch of NodeJs and PostgreSQL.
There is a table users, which has the attributes token and token_life_time.

At the moment when the client is authenticated in the system, he gets a token(this token is placed in the database in a field token of the user), and token_life_time is placed new Date() + 24 hours.
Now the user accesses the resources REST with the header Authorization: Bearer <here is placed our token>. The token is just a 90-digit string of arbitrary characters. When you access a resource checks the life of the token(token_life_time). If the current time is less than token_life_time, the token is still valid and the user has access to resources, otherwise - no.
Now, this all works out successfully and everyone is happy.

The question is.
Now there is a problem with the use of randomayzer token(90 characters), which is not protected cryptographically. Moreover, I do not want to generate random characters to put in a token something important, such as e and the expiration date of the life of the token. Going to implement hashing using bcrypt. Bcrypt is able to do reconciliation, but I can't get from the hash to the expiration date. However, it is necessary, because you need to check the relevance of the token.
How to be?
by | 21 views

2 Answers

0 like 0 dislike
At least: you have to compare not just the token and associate the token and the user's session. Otherwise, your bike will be vulnerable to all types of MiTM attacks. According to the text will be vulnerable every 24 hours - enough to wait for user authentication and you can then pass the token to the attacking script.
by
0 like 0 dislike
It seems to me from what you have described would be the best option with jwt (https://jwt.io/)
by

Related questions

0 like 0 dislike
2 answers
0 like 0 dislike
1 answer
0 like 0 dislike
1 answer
0 like 0 dislike
1 answer
0 like 0 dislike
2 answers
asked Jun 4, 2019 by tryvols
110,608 questions
257,187 answers
0 comments
40,796 users