Dax

Yeah, so if you set, the problem with JWTs is the upside is you can verify JWT without calling another server. So it's really efficient. Like there's a bunch of good reasons for that. But that exact property, it makes it so someone can't revoke them. So if someone is like, oh, there's James who was leaked, I need to revoke it. Other systems are still going to keep validating it.

Yeah, so if you set, the problem with JWTs is the upside is you can verify JWT without calling another server. So it's really efficient. Like there's a bunch of good reasons for that. But that exact property, it makes it so someone can't revoke them. So if someone is like, oh, there's James who was leaked, I need to revoke it. Other systems are still going to keep validating it.

They don't know that you flagged it as bad. And if you try to design some kind of system to make them check a database first, then you've effectively... lost all the benefits of a JWT. So what you do is you set the JWT expiration to be really low, like five minutes, and then you also issue a refresh token, and the refresh token is not a JWT.

They don't know that you flagged it as bad. And if you try to design some kind of system to make them check a database first, then you've effectively... lost all the benefits of a JWT. So what you do is you set the JWT expiration to be really low, like five minutes, and then you also issue a refresh token, and the refresh token is not a JWT.

That's something that has to be sent to a server to get a new access token.

That's something that has to be sent to a server to get a new access token.

Okay, so the root thing is here, the access token is sent to random places. It's sent to APIs, it's sent to other people. The refresh token is never sent anywhere except to the authorization server. So that like moves, that flies around less. So it's theoretically, you know, less exposed. So we had that model.

Okay, so the root thing is here, the access token is sent to random places. It's sent to APIs, it's sent to other people. The refresh token is never sent anywhere except to the authorization server. So that like moves, that flies around less. So it's theoretically, you know, less exposed. So we had that model.

That way, you know, if you revoke someone's refresh token, they can keep accessing the system for five minutes. But after five minutes, like their access token will expire and they'll fail to refresh a new one. So we did that design. They didn't factor that in at all. So I literally was like, I explained that, and then I said, I understand that this is going to be a continuous problem.

That way, you know, if you revoke someone's refresh token, they can keep accessing the system for five minutes. But after five minutes, like their access token will expire and they'll fail to refresh a new one. So we did that design. They didn't factor that in at all. So I literally was like, I explained that, and then I said, I understand that this is going to be a continuous problem.

This is a security-related thing, so people are going to come in with these dumbass binary statements around this stuff and confuse people because people don't know. People are going to see that, and they're going to be like, oh, does that mean it's not secure? So I wrote...

This is a security-related thing, so people are going to come in with these dumbass binary statements around this stuff and confuse people because people don't know. People are going to see that, and they're going to be like, oh, does that mean it's not secure? So I wrote...

This is the first issue of this, so I'm not going to do anything off of this, but I'm updating your code of conduct being like, if you are here to report a security issue, and I put it in quotes, security issue, you must report it in these terms. You need to say, I see that the design is A. And it was probably chosen because it has these benefits and it has these downsides.

This is the first issue of this, so I'm not going to do anything off of this, but I'm updating your code of conduct being like, if you are here to report a security issue, and I put it in quotes, security issue, you must report it in these terms. You need to say, I see that the design is A. And it was probably chosen because it has these benefits and it has these downsides.

And here's how it's currently mitigated. But I think it doesn't go far enough. If you don't phrase it like that, I'm just going to flat out close the issue because you're not here to actually contribute. You're just here to like... get someone on some kind of rule. So I find that extremely annoying. So I wrote this code of conduct. It's only two things I put in there. I was like, it's two points.

And here's how it's currently mitigated. But I think it doesn't go far enough. If you don't phrase it like that, I'm just going to flat out close the issue because you're not here to actually contribute. You're just here to like... get someone on some kind of rule. So I find that extremely annoying. So I wrote this code of conduct. It's only two things I put in there. I was like, it's two points.

It says reporting security issues. I say like, if it's a security issue, like, you know, don't post it publicly message me. And if we don't respond in some amount of time, then you can just go disclose it publicly in case there's like some kind of hold exploit. Yeah. Then number two, I wrote reporting security issues in quotations. And I was like,

It says reporting security issues. I say like, if it's a security issue, like, you know, don't post it publicly message me. And if we don't respond in some amount of time, then you can just go disclose it publicly in case there's like some kind of hold exploit. Yeah. Then number two, I wrote reporting security issues in quotations. And I was like,

You're likely reporting a not really a security issue. Like, you know, please phrase it in this way so we know that you've actually done your research. Yeah. So I wrote that. Okay, great. I think this problem is solved. And today I wake up. I get another PR. Fix code of conduct. It's a title PR. And it's like in this PR message, it says the code of conduct is very bad.

You're likely reporting a not really a security issue. Like, you know, please phrase it in this way so we know that you've actually done your research. Yeah. So I wrote that. Okay, great. I think this problem is solved. And today I wake up. I get another PR. Fix code of conduct. It's a title PR. And it's like in this PR message, it says the code of conduct is very bad.