30 lines
1.0 KiB
Markdown
30 lines
1.0 KiB
Markdown
---
|
|
title: Security
|
|
anchor: sec-overview
|
|
weight: 8
|
|
---
|
|
|
|
**DO NOT STORE PLAINTEXT SECRETS**. For developers that aren't _rarted_ this
|
|
isn't hard but if you think about doing this, don't.
|
|
|
|
With the secret value compromised there is nothing you can do(that I encourage anyways)
|
|
to tell if that account has been stolen.
|
|
If for some reason you(an admin) believes an account has been stolen, then
|
|
lock the account by removing its permissions.
|
|
|
|
JSON Web Tokens are used as a kind of session/cookie system as user applications
|
|
are not assumed to be browsers ever.
|
|
Freechat servers do not assume user apps to be browser to give people maximum
|
|
freedom in both application choice and developers freedom to use whatever hipster
|
|
libraries/frameworks languages they want.
|
|
|
|
* JWT's should **never** last more than 1 week
|
|
* 24 hours is fine but they should **always expire**
|
|
|
|
* JWT's should **always** be re assignable with the /login route
|
|
|
|
>I hate jwt
|
|
|
|
Sucks that what we use until a more flexible standard is designed/developed/doc'd.
|
|
|