acrolink
How to create web browser fingerprints to be used when verifying JWT access tokens?
Thus, making sure that the token is being used by the same web browser used to authenticate in the first place?
Note: I am using Guardian.
Most Liked
kokolegorille
I would advise You to inspect one of your conn. Put this inside any controller action
IO.inspect conn
This is an extract of a %Plug.Conn{}…
req_headers: [
{"host", "localhost:4000"},
{"user-agent",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Firefox/58.0"},
{"accept", "application/json"},
{"accept-language", "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"},
{"accept-encoding", "gzip, deflate"},
{"referer", "http://localhost:4000/main"},
{"authorization",
"Bearer SFMyNTY.g3QAAAACZAAEZGF0YWEBZAAGc2lnbmVkbgYA5ygrVWEB.kIFM_OUaENG973G2tVVu0HvRTe6UA3S0RUh-4_lniuQ"},
{"connection", "keep-alive"},
{"cache-control", "max-age=0"}
],
You can get user agent here. You can also see an authorization token.
Next step is to see how You sign your token, here is my way, with Phoenix.Token, but it does not matter if You sign this with Guardian.
@spec sign(term) :: String.t()
def sign(user), do: Phoenix.Token.sign(NextWeb.Endpoint, @salt, user.id)
Here You would add the user agent hash, or anything related, with the user id.
Inside the login controller, after login, You can sign token, and send it back to user.
case Accounting.authenticate(session_params) do
{:ok, user} ->
token = sign(user)
conn
|> put_status(:created)
|> render("show.json", token: token, user: user)
{:error, _reason} ->
conn
|> put_status(:unprocessable_entity)
|> render("error.json")
end
Almost there, now You need the plugs. You can write your own, or use the one coming with guardian.
Check for those plugs:
- verify_header
- ensure_authenticated
But I guess it is quite a lot of work for no real security gain. If You can steal a token, You might as well steal the user agent string ![]()
And You might not want a nightly browser build to invalidate your tokens.
kokolegorille
It does not look too different from how I authenticate my users with phoenix. Except for the memcached part. This could be replaced by a GenServer I think…
If your problem is frontend logic… I cannot tell You, as You use Vue.js, and me React
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









