This commit is contained in:
6
devdocs/specs/core-installation.txt
Normal file
6
devdocs/specs/core-installation.txt
Normal file
@@ -0,0 +1,6 @@
|
||||
# Installer / installation specifications
|
||||
|
||||
|
||||
Several environment variables need to be set by the installer.
|
||||
|
||||
- The AYANOVA_JWT_SECRET *MUST* be set to a random value generated by the installer and kep for all time as the key to use unless the user overrides it
|
||||
@@ -17,7 +17,7 @@ SERVER
|
||||
- DO ALL THE THINGS!!!! - all the way down to DOCS MANUAL below which isn't urgent and go back to client stuff
|
||||
|
||||
|
||||
- JWT issues??
|
||||
- LOOK INTO JWT issues??
|
||||
- potentially lots of issues, look into it as using them kind of mindlessly right now.
|
||||
It could be simply that people are attempting to do other things I am not but to be safe read the criticism and see if any of it applies:
|
||||
http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
|
||||
@@ -25,8 +25,29 @@ SERVER
|
||||
https://news.ycombinator.com/item?id=14292223
|
||||
https://news.ycombinator.com/item?id=18804875
|
||||
|
||||
- PASETO instead of JWT??
|
||||
- https://paseto.io/
|
||||
- JWT Secret key issue:
|
||||
- Secret key based on license to but is read in before license is read so it's always actually "UNLICENSED" as the regto making the jwt secret the same for all installations
|
||||
- Unless overridden which no one will do
|
||||
- Need to randomly generate a secret key on installation and add it as an environment variable
|
||||
- Don't allow boot without pre-set secret key
|
||||
- Un-tie secret key from license, they are two different things entirely and shouldn't be confounded
|
||||
|
||||
|
||||
|
||||
- Add tests to ensure security of JWT
|
||||
- https://assets.pentesterlab.com/jwt_security_cheatsheet/jwt_security_cheatsheet.pdf
|
||||
- https://gist.github.com/ejcx/cbf2e1bb75b02c7d77bc1cfcf84a167e
|
||||
- Test for expired token
|
||||
- Wrong key / credentials rejected (ISS?)
|
||||
- Test truncated signature portion (3rd part)
|
||||
- Test signature transpose bytes
|
||||
- Test with no or wrong algorithm ensure won't accept
|
||||
- Test inactive user can't login
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
- UPDATE: Update all 3rd party libs in use with server and re-test
|
||||
- It's been a while, some of the modules date to last fall
|
||||
|
||||
Reference in New Issue
Block a user