I’m building a webapp with a server-less backend and Gatsby on the frontend, and I’m hoping to make it so my backend issues a token to the client to access their resources on the database using ABAC roles. This would greatly reduce time writing APIs, ensuring against data leaks, and fixing other security issues which ABAC solves. However, I am not using credentials but instead OAuth logins and JWTs. The current authentication methods are very much oriented toward credentials, however I see that they still work without them. This is well and good, except tokens never expire unless they are manually deleted (Logout function), which could be done with a cron job of some sort but completely defeats the point of server-less and is counter-intuitive. If my user’s client is compromised somehow and a foreign attacker gains access to their DB token, without a manual deletion of this token it is valid, so long as Logout is not called. This poses a security risk should the client somehow exit unexpectedly and not call Logout.
What I found while researching this topic is this gist and a connected blog article explaining exactly my problem in detail, meaning I am not alone in this struggle. While the solution provided certainly WORKS, it is not ideal, and could be improved with a few additions to how Fauna handles tokens.
Some possible solutions are:
- Create a lambda function that determines if a token is truly “valid” after it is located in the Tokens collection. This allows for dynamic behavior regarding access to the database and provides more possibilities with authentication.
- Allow configuring a TTL for the Tokens collection, making tokens automatically revoke after a certain period of time
- Add support for other methods of authentication than tokens