0

I am creating for our web application a tokensystem. What do you guys think, if is this isWebTokenAvailable() Method safe? 

/**
     * Checked if webToken is available {@link de.security.WebToken}.
     *
     * @param webToken to check if webToken is available.
     * @return true if webToken is available and if there is no available token then returns false.
     */
    public boolean isWebTokenAvailable(@NonNull String webToken) {
        return !em.createNamedQuery("validateToken").setParameter("token", webToken)
                .getResultList().isEmpty();
    }
  • 2
    which safety are you talking about? – Shanu Gupta May 17 '18 at 09:12
  • @ShanuGupta for example, what if I give another token String. It can be wrong but my list is not empty, thats why I can true as return. –  May 17 '18 at 09:14
  • 1
    What does the `validateToken` query look like. – Kayaman May 17 '18 at 09:17
  • 1
    What kind of security you are talking about here, related to sql injection in the query or authentication on the basis of your token? – Suvansh May 17 '18 at 09:19
  • @Kayaman `@NamedQuery(name = "validateToken", query = "select t from WebToken t where t.token = :token and t.expireDate > current_timestamp() ")` –  May 17 '18 at 09:20
  • @sCom my concern is authentication on the basis of my token –  May 17 '18 at 09:21
  • Your code has no concept of a **wrong** token. There are just tokens which are either valid (or available) or not. – Kayaman May 17 '18 at 09:23

1 Answers1

0

As far as i have understood,if you have authentication concerns, you just need to verify the below steps:

  • While you are creating a token you need to set basic things in it
    like userRole/id according to the requirment of you app.
  • And you need to validate the user by extracting that info from the token and validating it with the info in your database.
  • Providing token from the db is just the step you are doing after authentication, that just checks the expiry.
Suvansh
  • 266
  • 1
  • 6