You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2022-02-13 11:00:30
- dcoun
- Member
- From: Crete, Greece
- Registered: 2020-02-18
- Posts: 430
JWT and ORM calls
I am having a TRestHttpServer created with useBidirAsync, secSynShaAes and I set the JWTForUnauthenticatedRequest to use JWT
1. Reading a discussion (https://synopse.info/forum/viewtopic.php?id=5589) about JWT renewal, you propose to check if the token is expired before each request. How to deal with ORM methods calls from a TRestHttpClientWinHttp client in a server with JWT authentication? Should I check before every ORM call (Add, Delete, Update) if JWT is expired? Is there a callback method for ORM calls to check this automatically?
2. Websockets use already encryption using password (WebSocketsEnable/WebSocketsUpgrade), does that means that JWT is not need, if I do not need user sessions?
3. If Websocket connections do not need an additional authentication like JWT, do you recommend to run ORM methods over a Websocket upgraded client? Is the load penalty acceptable?
Thank you in advance
Last edited by dcoun (2022-02-13 12:51:43)
Offline
#2 2022-02-13 19:49:00
Re: JWT and ORM calls
1. There is no such client-level automatic renewal yet.
But it is a good idea. I will try to make something included.
2. With WebSockets encryption, you don't neet a JWT.
But ensure that you disable the regular HTTP access or the ORM methods.
And you could use a weak session with no password over WS encryption, if you need a session at some point in the future.
3. There is no penalty using the WebSockets link for ORM - especially with mORMot 2, which has a new WS server with a thread pool.
4. (!) don't use secSynShaAes which is non safe because it is optional.
It is disabled in mORMot 2, if PUREMORMOT2 conditional is defined.
Offline
Pages: 1