cms icon indicating copy to clipboard operation
cms copied to clipboard
verified publisher icon code100x

bug: Store ips of the user in the db along with token, make sure token is valid for that ip

Open hkirat opened this issue 1 year ago • 6 comments

If someone steals my jwt, they should not be able to access my dashboard we should check if the ip is the same as the one they logged in with

hkirat avatar Sep 07 '24 17:09 hkirat

on it, trying

Edit: done here #1162

ItsFlash10 avatar Sep 07 '24 17:09 ItsFlash10

On it! #trying

farjad-akhan avatar Sep 07 '24 17:09 farjad-akhan

@hkirat We have to add model for IP, where we save all ips or just one more column in user table? and we can stop him to login if ip are not same? but we have to remove the ip from db when user logout from that device?

MeerUzairWasHere avatar Sep 07 '24 21:09 MeerUzairWasHere

@hkirat , do we need to save ipAddress in session or userschema?

nawinsharma avatar Sep 07 '24 22:09 nawinsharma

@hkirat do we want this? really

devsargam avatar Sep 20 '24 19:09 devsargam

If someone steals my jwt, they should not be able to access my dashboard we should check if the ip is the same as the one they logged in with

Hey @hkirat and @devsargam ,

Instead of IP tracking we should use http-only cookies for JWT storing and its combination with CORS. Which can mitigate the mentioned issues of stealing JWT and accessing content.

pov:- In case if JWT is stolen even with this implementation then attacker is not able to access dashboard because he can't set the cookie to our origin, ultimately CORS will effect if he tries from other origin

I can work on this If its resolves what you mentioned.

rishav-goswami avatar Oct 08 '24 03:10 rishav-goswami