1

I'm looking to secure my electron desktop app with user credentials (username + password), but I'm having a hard time finding the right technology to use. Requirements:

  1. Number of activations can be determined (e.g. x copies of the app can be activated at any given time)
  2. The user can deactivate/revoke access to all active instances remotely.
  3. The activated copy will not need to be re-authenticated manually indefinitely if the user does not log out remotely.
  • For example, the user can authenticate themself, not use the desktop app for a long time then they aren't expected to log in again when they re-open it.

I am currently looking at JWT as it somewhat satisifes 2. However i've read that it's advised that the tokens not be saved in a database, so if I need to blacklist tokens, the blacklist would be a forever growing collection which is not ideal (unless you had a cronjob to remove expired tokens)

I'm not sure which solution would be ideal here that would meet the requirements.

JC1
  • 849
  • 13
  • 25

1 Answers1

0

Use JWT. Create two tokens: access token and refresh token. The access token will be short-lived (minutes), the refresh token will be long-lived (hours, days, weeks). Follow the best practice in token handling (Access token and Refresh token best practices ? How to implement Access & Refresh Tokens). Also comply with the OWASP ASVS V3 requirements regarding session handling

You actually do want the refresh token to expire. Else you would need to hold them in some blacklist forever. Forever is pretty long. Having to delete the expired logs from storage is a small price to pay for this level of flexibility you are willing to implement.

Make the refresh token hold two additional attributes:

  1. Unique identifier
  2. Human readable name

so the user knows which tokens he is invalidating. You would put into the blacklist the unique identifier and the expiration date.

You can identify how many copies of the application are being used based on the active access token count.

Marek Puchalski
  • 3,286
  • 2
  • 26
  • 35