#1 2022-02-13 11:00:30

From: Crete, Greece
Registered: 2020-02-18
Posts: 184

JWT and ORM calls

I am having a TRestHttpServer created with useBidirAsync, secSynShaAes and I set the JWTForUnauthenticatedRequest to use JWT

1. Reading a discussion (https://synopse.info/forum/viewtopic.php?id=5589) about JWT renewal, you propose to check if the token is expired before each request. How to deal with ORM methods calls from a TRestHttpClientWinHttp client in a server with JWT authentication? Should I check before every ORM call (Add, Delete, Update) if JWT is expired? Is there a callback method for ORM calls to check this automatically?
2. Websockets use already encryption using password (WebSocketsEnable/WebSocketsUpgrade), does that means that JWT is not need, if I do not need user sessions?
3. If Websocket connections do not need an additional authentication like JWT, do you recommend to run ORM methods over a Websocket upgraded client? Is the load penalty acceptable?

Thank you in advance

Last edited by dcoun (2022-02-13 12:51:43)


#2 2022-02-13 19:49:00

From: France
Registered: 2010-06-21
Posts: 13,187

Re: JWT and ORM calls

1. There is no such client-level automatic renewal yet.
But it is a good idea. I will try to make something included.

2. With WebSockets encryption, you don't neet a JWT.
But ensure that you disable the regular HTTP access or the ORM methods.
And you could use a weak session with no password over WS encryption, if you need a session at some point in the future.

3. There is no penalty using the WebSockets link for ORM - especially with mORMot 2, which has a new WS server with a thread pool.

4. (!) don't use secSynShaAes which is non safe because it is optional.
It is disabled in mORMot 2, if PUREMORMOT2 conditional is defined.


Board footer

Powered by FluxBB