-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: embed user id in JWT #17
Changes from 4 commits
16cbced
b513b5f
f62826b
718e4bd
2c2c4f1
2cb01e8
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,6 @@ | ||
import { AUTH_TYPES } from "@versini/auth-common"; | ||
import { useLocalStorage } from "@versini/ui-hooks"; | ||
import * as jose from "jose"; | ||
import { useEffect, useState } from "react"; | ||
|
||
import { EXPIRED_SESSION } from "../../common/constants"; | ||
|
@@ -39,13 +40,14 @@ export const AuthProvider = ({ | |
|
||
useEffect(() => { | ||
if (previousIdToken !== idToken && idToken !== "") { | ||
const { _id }: { _id: string } = jose.decodeJwt(idToken); | ||
setAuthState({ | ||
isAuthenticated: true, | ||
accessToken, | ||
refreshToken, | ||
idToken, | ||
logoutReason: "", | ||
userId: authState.userId, | ||
userId: _id || "", | ||
}); | ||
} else if (previousIdToken !== idToken && idToken === "") { | ||
setAuthState({ | ||
|
@@ -57,7 +59,7 @@ export const AuthProvider = ({ | |
userId: "", | ||
}); | ||
} | ||
}, [accessToken, refreshToken, idToken, previousIdToken, authState.userId]); | ||
}, [accessToken, refreshToken, idToken, previousIdToken]); | ||
|
||
const login = async (username: string, password: string) => { | ||
const response = await serviceCall({ | ||
|
@@ -70,21 +72,27 @@ export const AuthProvider = ({ | |
}, | ||
}); | ||
|
||
if (response.data?.idToken) { | ||
setIdToken(response.data.idToken); | ||
response.data.accessToken && setAccessToken(response.data.accessToken); | ||
response.data.refreshToken && setRefreshToken(response.data.refreshToken); | ||
setAuthState({ | ||
isAuthenticated: true, | ||
idToken: response.data.idToken, | ||
accessToken: response.data.accessToken, | ||
refreshToken: response.data.refreshToken, | ||
userId: response.data.userId, | ||
logoutReason: "", | ||
}); | ||
return true; | ||
try { | ||
const { _id }: { _id: string } = jose.decodeJwt(response.data.idToken); | ||
if (_id) { | ||
setIdToken(response.data.idToken); | ||
response.data.accessToken && setAccessToken(response.data.accessToken); | ||
response.data.refreshToken && | ||
setRefreshToken(response.data.refreshToken); | ||
setAuthState({ | ||
isAuthenticated: true, | ||
idToken: response.data.idToken, | ||
accessToken: response.data.accessToken, | ||
refreshToken: response.data.refreshToken, | ||
userId: _id, | ||
logoutReason: "", | ||
}); | ||
return true; | ||
} | ||
return false; | ||
} catch (_error) { | ||
return false; | ||
Comment on lines
+86
to
+105
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The - return false;
+ return { success: false, error: _error.message };
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I explicitly do not want to provide error messages so that authentication tempering is harder: we do not want to disclose what the authentication issue is... just log the user out with a generic "session timeout". There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @aversini, I understand your approach to enhance security by not providing specific error messages during authentication processes. It's a prudent measure to prevent potential tampering by obscuring the details of authentication failures. I'll keep this in mind for future reviews related to authentication mechanisms. Thank you for clarifying your security strategy! Learnings added
|
||
} | ||
return false; | ||
}; | ||
|
||
const logout = () => { | ||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tip
Codebase Verification
The current implementation does not explicitly validate the JWT before extracting
_id
. To follow security best practices, ensure to validate the JWT token to confirm its authenticity and integrity before using any data from it.jose
or another trusted library before extracting_id
.Analysis chain
The refactored
useEffect
usesjose.decodeJwt
to handleidToken
changes effectively. Ensure that_id
extraction follows security best practices.Also applies to: 62-62
Scripts executed
The following scripts were executed for the analysis:
Script:
Length of output: 188
Script:
Length of output: 2136
Script:
Length of output: 3800
Script:
Length of output: 8791
Script:
Length of output: 4932