JWT Authentication for Write API from Mobile App / Web App
-
Typically In JWT, a token is returned from the server after a successful authentication . You would use the token for all other successive requests.
JWT.IO - JSON Web Tokens Introduction
Learn about JSON Web Tokens, what are they, how they work, when and why you should use them.
(jwt.io)
I have integrated apis with client apps through JWT in the past as well. It is the same approach taken.
Is this the approach followed in Nodebb ?
The write api plugin readme seemingly suggest a different approach
https://github.com/NodeBB/nodebb-plugin-write-api#json-web-tokensI might be wrong here ..but this sounds like a very insecure way. Why would I reveal the secret in the client apps to generate a token. (Also I didnt see any jwt.sign method in this plugin or in the nodebb core, so it is definitely expecting the token to be generated from client ).
@baris @julian @psychobunny It would be nice if you any of you guys can authoritatively say the right approach to do the JWT authn.
Thanks in advance
-
@gingerman said in JWT Authentication for Write API from Mobile App / Web App:
I might be wrong here ..but this sounds like a very insecure way. Why would I reveal the secret in the client apps to generate a token. (Also I didnt see any jwt.sign method in this plugin or in the nodebb core, so it is definitely expecting the token to be generated from client ).
You wouldn't be revealing the secret to the client (that's definitely a bad idea). The payload is signed from your app, on the server side, and then sent to NodeBB. The signing merely represents that the payload was unaltered in-transit, but does not signify that the secret itself has or has not been compromised.
Definitely do not share the secret.
-
@gingerman That's correct -- you wouldn't want to have the app generate the JWT, since it can easily be decompiled and then the secret is compromised.
Right now the write api does not act as a session/login authority, so it is unable to generate an access token for use. It could potentially be added, though it is not something on the roadmap currently.
-
Even use cookie is possible to make an mobile application, but the server should provide api to verify username and password and return cookie value for this session. And the mobile then set the cookie for following requests.
I give it a sample for iOS platform.
// set cookie storage NSHTTPCookieStorage *cookieStorage = [NSHTTPCookieStorage sharedHTTPCookieStorage]; [cookieStorage setCookieAcceptPolicy:NSHTTPCookieAcceptPolicyAlways]; CDVPluginResult * result = nil; NSString *appUrl = [command.arguments objectAtIndex:0]; NSString *appCookie = [command.arguments objectAtIndex:1]; if (appUrl != nil && [appUrl length] > 0 && appCookie != nil && [appCookie length] > 0) { NSArray *cookieArray = [appCookie componentsSeparatedByString:@";"]; for (NSString *cookieItem in cookieArray) { NSMutableDictionary *cookieDict = [NSMutableDictionary dictionary]; NSRange range = [cookieItem rangeOfString:@"connect.sid="]; if (range.location != NSNotFound){ NSString *cookieValue = [cookieItem substringFromIndex:(range.location + range.length)]; //domainCookie = [cookieItem stringByAppendingString:domainRapidApps]; //[cookieDict setObject:domainCookie forKey:NSHTTPCookieValue]; NSURL *url = [NSURL URLWithString:[appUrl stringByAddingPercentEscapesUsingEncoding:NSUTF8StringEncoding]]; NSString *domain = [url host]; // set cookie [cookieDict setObject:@"connect.sid" forKey:NSHTTPCookieName]; [cookieDict setObject:cookieValue forKey:NSHTTPCookieValue]; [cookieDict setObject:domain forKey:NSHTTPCookieDomain]; [cookieDict setObject:@"/" forKey:NSHTTPCookiePath]; [cookieDict setObject:@"0" forKey:NSHTTPCookieVersion]; NSHTTPCookie *cookie = [NSHTTPCookie cookieWithProperties:cookieDict]; [cookieStorage setCookie:cookie]; } }
