I'm going to use FastAPI Users for my application. I saw that it generates JWT tokens to perform verification processes in the application. For example, in order to verify user email address or to request password change. Is it a good idea in terms of security?
Asked
Active
Viewed 826 times
2
-
1valid user can only get jwt token, why do you wanna validate again? – deadshot Jun 11 '22 at 18:16
-
@deadshot, I didn't understand your question. Could you explain it please? – Michael Aboryone Jun 11 '22 at 18:18
1 Answers
4
JWT is state-less authentication and is so useful if you use backend with multiple frontends (mobile app, website UI and ...)
Its security is also Depends on your implementation.
If you use different secret key than default fast-api tutorial (I saw it on some projects!) and use rational expiration date, its secure enough to handle big projects.
consider you should logout every login sessions of specific user, which is logged-out from one client if you have multiple clients. which means you should implement some kind of black-list JWT.
About verifications, I recommend using two factor verification. I usually use security code send to email or SMS code. It's more secure if you consider this scenario:
A user is logged-in on a device and JWT token is not expired. another user using same device in office and can change password without any second factor security layer. If you have code send to the mobile, its more secure and no one can access it easily!
shahab valizade
- 98
- 1
- 8
-
Thank you for your answer. FastAPI Users uses JWT tokens for verification purposes by default, and I would like to use two types of tokens: the first type is six-digit numeric code for SMS and the second is character token that will be used in one-time unique links. I guess that in the situation you described can be used old password to prevent the possibility of changing it using the same device and the same JWT session. So I haven’t completely understood what I have to do. Could you help me by adding additional information please? – Michael Aboryone Jun 11 '22 at 21:12
-
2The JWT is independent of the other things you are talking about. A JWT identifies a user and their claims, and can be verified without contacting the system that issued the token (i.e. you can tell that the user got authenticated (and possibly authorized) by a central authentication system without having to call back to that server to validate the JWT. Whether those properties (compared to issuing a plain randomized token) are important to you depends on your exact use case. However, the tokens you mention are one time use tokens that wouldn't be used as a session token in either case. – MatsLindh Jun 11 '22 at 22:32