AUTHOREA
Log in Sign Up Browse Preprints

Alec Aivazis edited untitled.html  over 8 years ago

Commit id: 722a7629d32c52d3e73d1619bc3ac8c0239b9eda

deletions | additions      

       

  • In a single page app, all of the decisions about what view/subview to render occurs on the client and does not require a trip back to the server.
  • This means that the client has to be able to authenticate the currently logged in user and access its data without going back to the server
  • We have to store information concerning the logged in user in such a way that we can trust it.
    • With the rise of the single page app, a new vulnerability has emerged through the clever use of the javascript console.
      • Previous paradigms did not have this problem because they could authenticate every GET request and prevent the user from going somewhere they shouldn't.
  • JWTs 
  • JWTs  are good because they allow for the client to be responsible for keeping track of the permissions of the currently logged in user.
    • This removes the need for a session store in most cases which dramatically increases scalability
      • No more potential problem of synchronizing the store among processes with separate memory.
    • However JWTs require a secret key to be decrypted which means it can't happen on the frontend.
      • frontend with the same key that the server uses, say for its csrf protection.
        • A  malicious visiter would be able to download the source code compiled on a few different views and look for similar strings. One of them would be the secret key so its easily brute-forcible.
     brute-forcible.
  • Because
    •