I’m working on a test bot to understand the API and I have a question about authentication and JWT validation.
As far as I can see, the way to authenticate is to call the /user/login
endpoint with valid credentials which will return a JWT. All is good except the JWT payload. I see that it contains iat
but nothing about expiry (exp
).
Now, I wanted to use the JWT for multiple requests, but that’s difficult if I cannot figure out when the token expires. What is the best way to be sure about the validity of a JWT before using it. Should I get a new JWT before every operation, is that the intended behavior? Or maybe I misunderstand the way authentication works with Lemmy?
Edit: I asked this on Lemmy Development channel a few days ago and apparently someone has created an issue in Github. So, perhaps this will be addressed in a later update.
Lemmy is not very developed in this area. As far as I can tell, JWTs do not expire and there are no refresh tokens. I think instance admins can manually revoke JWT tokens globally, but otherwise they are valid indefinitely. I’m hoping this will be improved, because JWTs are already not the most secure—especially without ttls, 2fa, and refresh tokens
It doesn’t look very good, no. It would be good to bring Lemmy to OAut2.1 where the self-contained token with a sensible lifetime is passed in the Authentication header. Currently it’s either passed in the URL (GET) or in the model (PUT/POST).
I have some OAuth experience, but I’m not a Rust developer. So, I thought of offering some help regarding design and testing of an OAuth mechanism, but since I cannot really contribute to implementation, that may not be that much of a help. Also, this kind of a change will break at least some of the existing clients. I don’t know if the core team would be willing to make such a change.