-
-
Notifications
You must be signed in to change notification settings - Fork 601
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature] Add support for PASETO tokens #586
Comments
@BusterNeece hello! In general Paseto tokens seem nice, I've read about them before. Though before implementing them in Centrifugo I'd like to collect better understanding whether this is useful for wider audience, for other Centrifugo users. You mentioned Paseto is popular in PHP ecosystem. Could you elaborate more on this - why do you think so, do you know any popular projects which use them? |
I'm not using Centrifugo yet, but I'm considering it for an upcoming project, reading the docs, etc. I also came here wondering if any work had been done on adding PASETO support. I don't have any trust in JWT due to the bevy of vulnerabilities that have occurred in the past few years. Sample: https://www.howmanydayssinceajwtalgnonevuln.com/ (sourced from https://github.com/zofrex/howmanydayssinceajwtalgnonevuln/blob/deploy/data/vulns.yml) |
I would also definitely use PASETO over JWT on any project, and if that project also made use of Centrifugo it would be great to not have to support JWT as well. |
I agree, I would like to see Paseto |
JWT tokens have long been considered too permissive for their own good, in a way that often exposes them to insecurities in regular web application use. Many infosec researchers have started suggesting against their use as a result.
A project that has sprung up and is very popular (especially in the PHP world) is the PASETO, or Platform Agnostic SEcurity TOken. It has all of the portability of JWT tokens, but with strictly defined encryption standards that ensure they are always used safely.
More information and supporting libraries are available here: https://paseto.io/
Worthy of note is that there are two Golang libraries offering wide compatibility with the modern generation of PASETO tokens.
It would be excellent to see this supported for client authentication in Centrifugo, as it would absolutely be the type of token that I would be implementing in any application that required secure authenticating tokens.
The text was updated successfully, but these errors were encountered: