Restrict capabilities that can be performed through the JWT token [3pt]
luisherranz opened this issue · comments
As per @nicholasio suggestion, we should not store the capabilities
and allowed_methods
in the JWT and keep them in the code instead. The token should only contain a type, like type=preview
. Then, the code should check if type=preview
is present and grant the proper capabilities, instead of relying on the information stored in the JWT. That way, no other capabilities can be granted, even if the private keys (SECURE_AUTH_KEY
or FRONTITY_JWT_AUTH_KEY
) are exposed.
He also suggests that we add a Frontity signature. I guess it could be as simple as generator=frontity
because it will be simply used to avoid reading a token that was not generated by us, but that also used SECURE_AUTH_KEY
for the private key.
The conversation and full @nicholasio explanation is here: https://community.frontity.org/t/wordpress-preview-support/2419/30?u=luisherranz
We have started working on this on this branch, although it is not working yet: https://github.com/frontity/frontity-embedded/tree/restrict-token-capabilities