acrolink

acrolink

How to create web browser fingerprints to be used when verifying JWT access tokens?

Thus, making sure that the token is being used by the same web browser used to authenticate in the first place?

Note: I am using Guardian.

Most Liked

kokolegorille

kokolegorille

I would advise You to inspect one of your conn. Put this inside any controller action

IO.inspect conn

This is an extract of a %Plug.Conn{}…

  req_headers: [
    {"host", "localhost:4000"},
    {"user-agent",
     "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Firefox/58.0"},
    {"accept", "application/json"},
    {"accept-language", "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"},
    {"accept-encoding", "gzip, deflate"},
    {"referer", "http://localhost:4000/main"},
    {"authorization",
     "Bearer SFMyNTY.g3QAAAACZAAEZGF0YWEBZAAGc2lnbmVkbgYA5ygrVWEB.kIFM_OUaENG973G2tVVu0HvRTe6UA3S0RUh-4_lniuQ"},
    {"connection", "keep-alive"},
    {"cache-control", "max-age=0"}
  ],

You can get user agent here. You can also see an authorization token.

Next step is to see how You sign your token, here is my way, with Phoenix.Token, but it does not matter if You sign this with Guardian.

  @spec sign(term) :: String.t()
  def sign(user), do: Phoenix.Token.sign(NextWeb.Endpoint, @salt, user.id)

Here You would add the user agent hash, or anything related, with the user id.

Inside the login controller, after login, You can sign token, and send it back to user.

    case Accounting.authenticate(session_params) do
      {:ok, user} ->
        token = sign(user)

        conn
        |> put_status(:created)
        |> render("show.json", token: token, user: user)

      {:error, _reason} ->
        conn
        |> put_status(:unprocessable_entity)
        |> render("error.json")
    end

Almost there, now You need the plugs. You can write your own, or use the one coming with guardian.

Check for those plugs:

  • verify_header
  • ensure_authenticated

But I guess it is quite a lot of work for no real security gain. If You can steal a token, You might as well steal the user agent string :slight_smile:

And You might not want a nightly browser build to invalidate your tokens.

kokolegorille

kokolegorille

It does not look too different from how I authenticate my users with phoenix. Except for the memcached part. This could be replaced by a GenServer I think…

If your problem is frontend logic… I cannot tell You, as You use Vue.js, and me React

Where Next?

Popular in Questions Top

siddhant3030
Hi, I have to write a raw query for one of my project. But till now I have used ecto queries and don’t have much experience writing raw ...
New
Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
chrisalley
ExUnit now has describe blocks which is a welcome addition coming from RSpec. In the docs, it states that nested hierarchies of describe ...
New
mgjohns61585
Could someone help me? I’m making my first elixir program, number guessing game. I can’t figure out how to convert the user’s guess from ...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
freewebwithme
Using vs code and installed ElixirLS: support and debugger. And I got an error popped up on start up says Failed to run ‘elixir’ comma...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
chensan
I have a User schema with a :from_id field set to type :string: defmodule TweetBot.Repo.Migrations.CreateUsers do use Ecto.Migration ...
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New

Other popular topics Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
greenz1
I have a phoenix application from which a user can download multiple(5-6) files of size 1MB. I couldn’t find anything related to sending ...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1144 54120 245
New
lanycrost
Hi everyone! I need implement if…else if…else condition from my elixir code, and anymore of this control flow structures not work proper...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement