Am I using JWT correctly?

Kabiri · 2025-03-17 07:41:06

Hello dear @AB

I have a function for generating JWT tokens, one for validating them, and another for revoking them.
I created a whitelist for URLs that don’t require authentication and a blacklist for tokens that haven’t expired but have been revoked.
In the `OnBeforeURI` event, if the URL is in the whitelist, I skip token validation and let the request proceed.
If the URL isn’t in the whitelist, I validate the token. If the token is valid and not in the blacklist, authentication is completed, and the corresponding method for that URL is executed.
I did all this because I couldn’t find an automatic solution for this in mORMot2.

I have two questions:
1. Is there no automatic solution for this, and do I have to handle it this way?
2. My problem is with URLs that have slight variations — for example, `api/Auth.Login` and `api/Auth/Login` are both valid. Is there a way to avoid adding multiple similar URLs to the whitelist?

Last edited by Kabiri (2025-03-17 07:47:56)

ab · 2025-03-17 18:24:12

Usually I use some " if IdemPChar() " in the OnBeforeUri to quickly check of the bearer.
Since most of the URIs are likely to be protected, it seems fair enough: only a few URI to check.
The idea is to be hardened/closed by default, and only allow the few needed unauthenticated URI.

For the blacklist of tokens, you may consider using our TBinaryCookieGenerator from mormot.crypt.secure, which maintains such a list, in a very efficient manner.
This TBinaryCookieGenerator class may be better than JWT in practice.

Kabiri · 2025-03-17 19:09:23

Thanks, I’ll try it.

ab · 2025-03-17 19:30:12

But you are right, there is a simple JWT/Bearer implementation needed for the REST server.
If you don't use the default authentication, which is pretty much mORMot/pascal-centric, there is some additional work to do.

I will look into adding a new authentication method via a TBinaryCookieGenerator and an Authentication: Bearer token.

Kabiri · 2025-04-05 14:16:17

It would be great to add a new authentication method.
Using IdemPChar() was suitable for uppercase and lowercase letters, but it differentiated between "." and "/".
To fix the problem, I used this code: StringReplace(Ctxt.Call^.Url,'.','/',[rfReplaceAll])
Unfortunately, I was unable to use TBinaryCookieGenerator.

flydev · 2025-04-08 08:15:34

I am a bit late, for question #1 I like to give as reference this awesome post:

refresh-tokens-what-are-they-and-when-to-use-them on auth0.com blog.

Well explained and make things crystal clear.

Also, it will be easier to find it when searching on forum

Kabiri · 2025-04-14 07:37:08

@flydev
Thanks

mORMot Open Source

#1 2025-03-17 07:41:06

Am I using JWT correctly?

#2 2025-03-17 18:24:12

Re: Am I using JWT correctly?

#3 2025-03-17 19:09:23

Re: Am I using JWT correctly?

#4 2025-03-17 19:30:12

Re: Am I using JWT correctly?

#5 2025-04-05 14:16:17

Re: Am I using JWT correctly?

#6 2025-04-08 08:15:34

Re: Am I using JWT correctly?

#7 2025-04-14 07:37:08

Re: Am I using JWT correctly?

Board footer