What are some potential ways to misuse signed Global IDs?
ravicious opened this issue · comments
Some of you might be familiar with the "No Way, JOSE! Javascript Object Signing and Encryption is a Bad Standard That Everyone Should Avoid" post.
Recently at work we began sending a callback URL to a 3rd party. To verify that it's indeed the 3rd party that's calling back the endpoint, someone suggested putting a JSON web token in the payload. I suggested using signed Global IDs, since they're accessible OOTB in Rails and also, in my impression, are somewhat more secure than JWT.
However, in the context of that post, I was thinking if there are ways in which signed Global IDs might be misused. I'm not a security expert, so it's hard for me to grasp if this library can be used in unsecure ways.
I suppose it wouldn't be that great for storing sessions for the same reasons as JWT. If there's a need to invalidate certain signed IDs, globalid doesn't handle this out of the box, so that also might not be that great of a pick.
Anything else that comes to your mind?
Please use https://discuss.rubyonrails.org/ for questions/help, where a wider community will be able to help you. We reserve the issues tracker for issues only.