[bisq-network/proposals] API security (#69)

Bernard Labno notifications at github.com
Tue Jan 22 09:45:59 UTC 2019


@mrosseel the goal of JWT token is to allow backend to identify user without querying db, so the token always contains some unencrypted info about the user and a backend's signature to guarantee that data was not tempered. 
We don't query database and keep the token in memory so there is no benefit while we would have to expose some data about the user. This is a privacy concern.
If random token expires then it's useless. JWT tokens cannot expire, and even if the key used for signatures is changed, the token itself still contains some data about the user.

As far as I know letsencrypt still requires a registered domain name, doesn't it? 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/proposals/issues/69#issuecomment-456335358
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20190122/f74d9444/attachment.html>


More information about the bisq-github mailing list