10

I would like to know if what I've done so far is a sound way of authenticating/renewing the token and if there are any flaws or vulnerabilities that I should be aware of as I tried to limit database interaction to nil. Here goes.

  1. The user authenticates via normal Username/password or via Facebook
  2. The PHP backend generates a token with an expiration time of 30 minutes and sends it to the angularjs client
  3. The JWT token gets stored in $localStorage
  4. The JWT token is injected, with the help of an interceptor, in every request header
  5. All the Slim routes that need authentication check the sent token with the help of a middleware.
  6. If the token is invalid (expired, has been tampered with, is not suitable for that particular role), Slim will respond with a 401/403 error.
  7. An angular service checks every minute if the token is about to expire
  8. If the token is about to expire (5 to 1 minutes left), the service posts the old token to another API endpoint.
  9. The API endpoint checks the validity of the token and responds with a new one with an expiry time of +30 mins.
  10. The polling service I mentioned before replaces the old token in $localStorage.
  11. Rinse and repeat.

NB: SSL will be implemented in production

Bounty awarded to @Valdas as he was the only one who actually answered

Răzvan
  • 981
  • 9
  • 20
  • 1
    There is a good article about where to store the JWT. https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/ – Mika Tuupola Aug 23 '15 at 19:39
  • @MikaTuupola Thanks for the tip. I will store the token in a cookie for added protection. I already implemented the anti-CSRF mechanism mentioned there and had a look at your slim-jwt-auth middleware. Nice work! I rolled my own very basic middleware but yours definitely tops it. Gotta give it a try. Is the cookie/localStorage problem the only thing that seems _wrong_ with my logic? – Răzvan Aug 24 '15 at 07:03

1 Answers1

5

There is no need to loop token expiration checking. I use https://github.com/auth0/angular-jwt as a library for my Angular projects, which provides a way to refresh token just before the HTTP request is fired, simplifying auth mechanism.

Also, you could remove token from request if its loading a template (ends with .html), but this is just a personal preference.

Valdas
  • 1,074
  • 13
  • 20
  • Thank you @Valdas but the loop serves a purpose: it doesn't let the token expire while the browser is opened, even if there's no user activity or request. As for all the amenities that the angular-jwt lib provides, I will probably use it in my next projects. – Răzvan Aug 25 '15 at 12:21