-1

My Setup
I am using React and Django as frontend & backend. For authorization purposes I chose Django-rest-knox, which works via tokens stored in a database.

My Problem
Now if an attacker gets a hold of the token (stored in local storage on the client side after a login), he can do anything that the user is able to. There is some expiration on the token and the ability to destroy all tokens of the user by the user himself. But I'd like to be on the safer side.

My Solution
My idea is to map all tokens to the IP address (of the user) that was used to login. That way the token would only be usable on the machine that was used to login. That token-to-IP-address relation would be checked on the backend.

My Questions

  1. Is the idea feasible at all or is there anything in the nature of those IP addresses that breaks my intent?
  2. What is the best way to get the client IP-address?
  3. Do you think that is a secure approach?

Thanks for the help!

Magnesia
  • 21
  • 7

1 Answers1

1

  1. The idea is feasible but not efficient. The main problem is, not everyone using static ip address and this will cause you a big feedback by your users because everytime some user's ip address change(via modem reset, power cut, provider problems etc.) he/she/it will have to be authenticated again.

  2. You use 'HTTP_X_FORWARDED_FOR' meta for almost all backend framework as well as django. you can check this link. How do I get user IP address in django?

  1. This idea may come with security but i ll give you a better one that i am currently using on my own application.

My solution: Refresh tokens. With refresh tokens, every time an access token expire(avarage 15 min ideal) user will request a new access token via his/her/its refresh token. With this way even an attacker get user's access token, he/she/it will be only available for 15 minutes(you can make 5-10-15-... mins as well)

Wai Ha Lee
  • 8,598
  • 83
  • 57
  • 92
euler
  • 89
  • 6
  • 1- I see, I only thought about IP addresses changing once a day with a router restart or something like that. Makes sense to not do it then. 2- Perfect. 3- I guess you don't use Django-rest-knox then right? Because with that package you refresh with the access token itself. So if you have the token, you can refresh it indefinitely (if I turn that setting to True). It wouldn't make sense to use that solution I think. Or am I missing somethign here? – Magnesia Feb 13 '21 at 12:14
  • I am not using knox but this idea "Because with that package you refresh with the access token itself. So if you have the token, you can refresh it indefinitely (if I turn that setting to True)." seems a security issue. Infinite access tokens is totally nightmare to you because once an attacker capture your access token you basically have to change your secret key(if your not using a database to hold your tokens and verify like that). Refreshing an access token with access token it self counter the whole idea of secure your token system. – euler Feb 13 '21 at 12:45
  • You can check this out [link](https://simpleisbetterthancomplex.com/tutorial/2018/12/19/how-to-use-jwt-authentication-with-django-rest-framework.html). You can implement the refresh token logic by yourself as i do for my app. – euler Feb 13 '21 at 12:45
  • Got it. Thank you! – Magnesia Feb 13 '21 at 13:05