Show HN: My own tokenization method in Python, open to feedback
github.comHi, i like python a lot and i dont like JWT so when i needed a tokenization method, i tried making my own.
Missinputed the link :( https://github.com/YasTouchedMySpaggett/Fernet_Tokenization here's the correct one
I would love some feedback on it : ) Line 40 I would prefer not to concat to make SQL strings incase the code is modified to include
untrusted text in the future. I don’t know what this does, I assume something like JWT? But why hate JWT? The old adage of don’t roll your own crypto applies (unless you know enough to break that rule) I am making a social app and JWT has some security concerns
quote from https://www.akamai.com/blog/security-research/owasp-authenti...:
Six threats to JWTs Thanks for your feedback : ) To address issues 2,3 and 4
2) You may use the "same key" but you have the option to change it whenever you want
3/4) Fernet is a VERY strong encryption algorythm
I encourage the storing of the token so you can cross check the information with a "local authentic copy". That way issues 1 and 6 of JWT are fixed and issue 5 since you dont actually store "information" in the key EVEN if someone steals your key he can not steal sensitive data from it. Now i put information in quotes because you do put something, ike the username to make the key unique to to user, but username was already "public information" so no "user personal data" leakage in case of a disaster. 1)Allowing the server to use a token without validation.
2)Using the same private key for different applications.
3)Using a weak signing algorithm.
4)Choosing a short and/or low-entropy private key.
5)Keeping sensitive data in a JWT's payload.
6)Confusing the keys.