Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Add support for PASETO tokens #586

Open
BusterNeece opened this issue Dec 1, 2022 · 4 comments
Open

[feature] Add support for PASETO tokens #586

BusterNeece opened this issue Dec 1, 2022 · 4 comments

Comments

@BusterNeece
Copy link

JWT tokens have long been considered too permissive for their own good, in a way that often exposes them to insecurities in regular web application use. Many infosec researchers have started suggesting against their use as a result.

A project that has sprung up and is very popular (especially in the PHP world) is the PASETO, or Platform Agnostic SEcurity TOken. It has all of the portability of JWT tokens, but with strictly defined encryption standards that ensure they are always used safely.

More information and supporting libraries are available here: https://paseto.io/

Worthy of note is that there are two Golang libraries offering wide compatibility with the modern generation of PASETO tokens.

It would be excellent to see this supported for client authentication in Centrifugo, as it would absolutely be the type of token that I would be implementing in any application that required secure authenticating tokens.
@FZambia
Copy link
Member

FZambia commented Dec 4, 2022

@BusterNeece hello! In general Paseto tokens seem nice, I've read about them before. Though before implementing them in Centrifugo I'd like to collect better understanding whether this is useful for wider audience, for other Centrifugo users. You mentioned Paseto is popular in PHP ecosystem. Could you elaborate more on this - why do you think so, do you know any popular projects which use them?

@francislavoie
Copy link

I'm not using Centrifugo yet, but I'm considering it for an upcoming project, reading the docs, etc.

I also came here wondering if any work had been done on adding PASETO support. I don't have any trust in JWT due to the bevy of vulnerabilities that have occurred in the past few years. Sample: https://www.howmanydayssinceajwtalgnonevuln.com/ (sourced from https://github.com/zofrex/howmanydayssinceajwtalgnonevuln/blob/deploy/data/vulns.yml)

@HeCorr
Copy link

HeCorr commented Apr 1, 2023

I would also definitely use PASETO over JWT on any project, and if that project also made use of Centrifugo it would be great to not have to support JWT as well.

@artemsiberiangit
Copy link

I agree, I would like to see Paseto

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@FZambia @francislavoie @BusterNeece @HeCorr @artemsiberiangit