I didn't even searched for something like this, just thought of it...

KZfaq algorithm at its finest

Universe at work.

Real

You mean this channel uploaded the video right after you were searching for it in google?

This one looked sponsored. But who cares, Jeff explained me JWT in 100 seconds which I had been struggling to understand since a few months now.

Knowledge is a hell of a drug

yes you're goddamn right

Absolutely true. It's the same for me too🔥

Me too

SQL injection

I 100% agree with this

This guy doesn’t know shit.

Your juniors can get the info here. Give them a bit more than 2 minutes. They will appreciate it.

Thank you. Good idea, I want to cover more DBs in this format.

@@edwardsmale3977 Redis is just a key value store which makes it extemely fast. Adding/reading/removing data works basically like the local/session storage in a browser. It’s mostly used for storing session or caching data.

With serverside sessions, its common to shove that data it into some external memory storage like redis. It frees up load on your database, plus that data doesn't need to be persistent anyways. And it keeps your api servers or w.e stateless, makes it easier to autoscale stuff while it sits behind a load balancer.

​@@Fireship hello there, do make RUST in 100 seconds and React state management in 100 seconds

@@Fireship At 1:40, what does it mean that web tokens "can't be used to authenticate a user in the background on the server"?

This i what i’m trying to figure out. If you store the jwt in a cookie/http only cookie. Is it still considered as token based auth? Or it is now cookie based auth?, Also if you indeed store the jwt in the cookie, how can you attach the jwt on the header as bearer token in your request?

@@zedshockblade7157 cookies are sent automagically to any requests made to the specific server in which they were created, so you don’t need to include them in the headers manually

​@@zedshockblade7157 those are 2 separate things. Manually adding the SECRET (let's call it that, for now) to the Authorization header on every request versus storing it and as a cookie (and letting the browser automatically add the cookie header on every request) will achieve the very same goal. Now, there's the SECRET type. A "session" is a token you generate and store in memory or disk storage. You have to check the user sent SECRET through a list of valid sessions every request. The "token" is signed using a hashing algorithm, so you can mathematically prove you are the one who created the token (and not someone else). That way, you don't have to go through a list, you just trust it. One con of the that last approach is that you can't revoke a token (by removing it from the valid tokens list). That feature can be important in some systems (e.g. revoke every user session when he changes the password).

@@igor9silvaThis is the correct answer. How you transfer the data (cookie or header) is not really important for how the validation works. Also really good tip about revoking access control👍

​@@igor9silvacouldn't you just use a UUID for every device for this method? So you concat and hash user id, username and the device uuid, if that token doesn't match one stored on the server then access denied...

kzfaq.info/get/bejne/arF4nLalldWwemQ.html

Interesting, I permit both so I don't need to make a frontend and backend api, feels like it just needlessly complicates things, couldn't find any articles about pros and cons of doing this? Is there any benefit, if so I'd be greatful if someone can let me know

To me, using http only cookies is the better option. Not only are they automatically attached to every request, but they can’t be stolen with an XSS attack unlike using localstorage.

No. If you make the token expire quickly, then the user has to log in way more frequently. A token is created when a user logs in with lets say a username and password. If that token is set to last for 30 mins, then during that 30 mins, if the user logs out, he doesn't have to enter his username and password to log in, he would enter the website automatically. But once 30 mins has passed and the user closes the website, the token will expire and he would have to put the username and password again to enter the website and create another token that would last another 30mins. The longer the token time, the less frequently the user has to log in with his username and password. And there is actually no need to fear hackers lmao(I can explain why if you want to know but JWT's are virtually impossible to hack). The only way is if the hacker steals the device of the user and the jwt has not expired yet, the hacker can just login freely, which just makes him a thief, lol. The responsibility of keeping the device safe falls on the user, not the web server(your server) but yeah you could make the jwt expiry time very short but I dont think its worth it

@@LilmeMusic Ideally it would fall on the user but users are fucking stupid lmao

@@LilmeMusic That's why he mentioned the refresh token. If the auth token expires, the refresh token is used to get a new one. The refresh token will be valid for way longer than the auth token.

@@buddh4r isnt that just passing the problem to refresh token? Someone can hijack refresh token and keep making auth tokens

@ The refresh token should only be sent when required so e.g. when using cookies, set a path in order to only include the cookie in the refresh request, you can also invalidate refresh tokens once they are used and create a new one (this may requires some server state). But yes generally if the refresh cookie is stolen its bad, but its the same (or less) risk as using session cookies which are not invalidated (at least not very often when using long sessions) and send with every request.

I don't think JWTs are that complicated. It's all handled with standardized libraries that make it quick and pain-free

@Jack Lusher Sessions for the win!

can you provide more details ?

​@@mikemartin6748What library handles the refresh process in a pain-free way? Except for full-blown backend services like Supabase. And then you still have the problem that you can't invalidate a token instantly when your account was hacked and you need to change your password.

Unless you develop your server in Assembly or have a compulsory need to reinvent the wheel by writing your own code for everything, this isn't true.

It’s not solving the problem in general but it makes it harder to exploit. So definitely a way to go. The safest approach using JWTs is to store/send them as httpOnly + SameSite cookies while using the accesss/refresh token approach.

@@daheck81 Hmm I'm sending the jwt as a response and save it to localstorage but use httpOnly + SameSite cookies for the refreshToken. Is that an ok approach?

@@rumble1925 Yes, that’s actually how I'm using it most of the time as well. As long as you keep the expiry time of your access token low (< 15 mins) this is safe enough.

@@daheck81 nice, thanks :)

JWT's dont hit the database, no need to waste your time. We store nothing on our servers and database, if we did there would be no point, we would just go back to sessions. JWT's are secure enough, dont worry

I think the server only has one private key, but honestly I have no fucking clue.

The idea is that you have one key pair for all of your tokens that you might want to swap relatively frequently. Anyone could then validate the generated tokens but only the server could generate them. With purely stateless tokens the server would only need to check if the signature matches (but you might want to store revoked tokens in a database to handle revoking access) and then authenticate whatever user is specified in the token itself. The server doesn't need to keep track of all the sessions and only has to validate if the signature is valid or not. You should never use symmetric encryption in that use case.

what about storing some info in the JWT claims section? Is it a good idea?

​@@ggar493 You could, such as the hashed password and when a token is reported to be stolen etc change the users password and then hashed password in token wont match hashed password when you check it. However, whatever you put in the token you have to check on every request, the same as storing it in the DB with a "valid" column. The DB approach is simple and more likely for devs to understand. Also, the info in a token would have to be sensitive to the user somehow, then you're sending sensitive info around the net, encrypted or not it should be avoided, as this is a primary reason for tokens - authenticate with sensitive data once then use the token.

you can also store whatever user data you want inside the JWT, which is handy and saves on traffic

Sounds very bloated more like. You'd get the negative parts of both without the positive parts of either (not that JWT has any positive parts in the first place, though).

@@Mankepanke "Not that JWT has any positive parts in the first place" then why oh why are people using it enough for it to be one out of the two standards for web authentication? Why, Magnus Bergmark, why? People will really fanboy over the tiniest things.

@@uwirl4338 Mostly because of it's simplicity. I'd concur that security wise, well implemented sessions are most likely more secure than well implemented JWT, but JWTs are easier to quickly add to any codebase, especially with the popularity of "serverless" nowadays, I think

@@uwirl4338 .... When you are in a argument never ever attempt to bring up that just because people uses a technology means that is good... Also, the amount of people using it doesn't relate to why it is a standard...

@@theraven.4 has anyone asked for a life advise here though?.. don't think so )