Remove query JWTs (breaking change) #793
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Is there a good reason to need to support query JWTs at the framework level?
The reason why I ask is because I believe enabling query JWTs punches a small security hole into the framework, and by extension Loco's users.
Intermediate proxies log requests, the requirements for shipping/aggregating those is usually less secure than applications and surrounding infrastructure themselves. This can be further exacerbated by engineering and ops teams having access to production logs via their machines. Finally, end users can also accidentally end up sharing their tokens. All of those can lead to session stealing/hijacking/replays.
I realise a lot of these are self inflicted errors, and some of them can be worked around or diminished, but I don't expect everyone to be hyper-vigilant about security!
Lastly, I don't think it has a great cost-benefit ratio: the cost is very steep (potential security hole, which are nightmares on multiple fronts: monetary, reputation, data loss), while the benefit is negligible: most anything sending a request can attach a header or a cookie already; usually attaching headers/cookies is also ergonomic than fiddling with query params.
Overall, I'd rather Loco errs on the side of providing only safe options out of the box, especially surrounding stuff like AuthN/AuthZ.
If users really want or need to implement something like this, they can shoot themselves in the foot on their own terms, but at least we've not given them the gun!
Hope I managed to get my thoughts across clearly. Also, I realise this might be a Chesterton's fence type of situation, though! So, I'm happy to discuss and even be convinced otherwise!