In custom JWT authentication how to manage the expiration time etc? How to rate limiting to prevent brute-force attack? How to track user session activity?


JWT Expiration and Management:

  • JWT Handles Expiration: JWTs inherently manage their own expiration time. You embed an "exp" (expiration time) claim within the token payload during token generation. This claim represents a timestamp (usually Unix time in seconds) indicating when the token becomes invalid.
  • Server-Side Verification: When the server receives a JWT in a request, it verifies the token's signature and checks the "exp" claim. If the current time (obtained from the server clock) is greater than or equal to the expiration time, the token is considered invalid, and the server rejects the request.

Example (Using Python's PyJWT library):

Python
import jwt
from datetime import datetime, timedelta

# Secret key for signing JWTs (keep this confidential)
SECRET_KEY = 'your_secret_key'

# Function to generate a JWT with an expiration time
def generate_jwt(user_id, expiration_delta=timedelta(minutes=5)):
    payload = {'user_id': user_id, 'exp': datetime.utcnow() + expiration_delta}
    return jwt.encode(payload, SECRET_KEY, algorithm='HS256')

# Sample usage
token = generate_jwt(123)  # Token expires in 5 minutes
decoded_payload = jwt.decode(token, SECRET_KEY, algorithms=['HS256'])
expiration_time = decoded_payload['exp']

# Server-side verification (example using Django middleware)
def jwt_middleware(get_response):
    def middleware(request):
        # Extract and verify JWT token
        # ...
        if valid_token:
            decoded_payload = jwt.decode(token, SECRET_KEY, algorithms=['HS256'])
            # Check expiration time
            current_time = datetime.utcnow()
            if current_time >= decoded_payload['exp']:
                raise AuthenticationError("Token expired")
                # ... (process valid token)
        # ... (handle invalid token)
        response = get_response(request)
        return response
    return middleware
Use code with caution.

Rate Limiting for Brute-Force Attacks:

  • Concept: Rate limiting restricts the number of requests a user (identified by IP address or other factors) can make within a specified time window. This helps prevent brute-force attacks where attackers try a large number of login attempts with stolen credentials or dictionary attacks.
  • Implementation Options:
    • Middleware or Framework-Level: Many frameworks like Django or libraries like django-ratelimit offer built-in rate limiting functionalities. Explore these options if available for simplicity.
    • Custom Implementation (Example using a Redis Cache):
      1. Use a cache like Redis to store timestamps of recent requests for each user (identified by IP address).
      2. On each login attempt, check the cache for the user's IP address.
      3. If the user has exceeded the allowed number of requests within the time window:
        • Reject the login attempt and return an appropriate error response.
        • Optionally, reset the counter after a cool-down period.

Example (Custom Rate Limiting with Redis):

Python
import redis

# Redis connection details
REDIS_HOST = 'localhost'
REDIS_PORT = 6379
MAX_REQUESTS = 5  # Allowed requests within a minute
TIME_WINDOW = 60  # Time window (seconds) in which requests are counted

# Function to check and update rate limit for a user
def check_rate_limit(user_ip):
    r = redis.Redis(host=REDIS_HOST, port=REDIS_PORT)
    key = f'rate_limit:{user_ip}'
    now = time.time()
    # Check if key exists (i.e., if user has made requests recently)
    if r.exists(key):
        # Get timestamps of previous requests
        last_requests = r.zrange(key, 0, -1)
        # Check if exceeded limit
        if len(last_requests) >= MAX_REQUESTS and now - float(last_requests[0]) < TIME_WINDOW:
            return False  # Rate limit exceeded
        else:
            # Update last request timestamp
            r.zadd(key, now)
            return True  # Within rate limit
    else:
        # Create key for the user and add first request timestamp
        r.zadd(key, now)
        r.expire(key, TIME_WINDOW)  # Set expiration for the key
        return True  # Within

Comments

Post a Comment

Popular posts from this blog

Embedded systems Guide

 Embarking on a journey into embedded systems can indeed feel overwhelming, especially when foundational concepts seem scattered across different domains like electronics and programming. It's completely normal to feel this way as you're integrating knowledge from multiple areas. Let's break down a structured approach to help you build a solid foundation and progressively advance your understanding of embedded systems. 1. Understand What Embedded Systems Are Embedded Systems are specialized computing systems that perform dedicated functions within larger mechanical or electrical systems. Examples include: Home Appliances: Washing machines, microwaves. Consumer Electronics: Smartphones, cameras. Automotive Systems: Airbags, engine control units. Industrial Machines: Robotics, control systems. Key Characteristics: Dedicated Functionality: Designed for specific tasks. Real-Time Operation: Often require timely responses. Resource Constraints: Limited processing power, ...
Read more

Linux Hanged 1

1. Use TTY to Regain Control (Very Useful) Even if the GUI is frozen, Linux still runs in the background. You can switch to a TTY (text console): 👉 Press: css Copy Edit Ctrl + Alt + F2  (or F3, F4... up to F6) This brings you to a black screen asking for login. Log in with your username and password, then: bash Copy Edit htop Or use: bash Copy Edit top Find the highest CPU or memory usage process, and kill it: bash Copy Edit kill -9 <PID> If you don’t have htop yet: bash Copy Edit sudo apt install htop To return to the desktop GUI after killing the offending process: 👉 Press: nginx Copy Edit Ctrl + Alt + F1  (or sometimes F7, depending on distro) 🔹 2. Hard Reset as Last Resort If TTY doesn't work (rare but possible), you can force a system reboot safely: 👉 Press: nginx Copy Edit Alt + SysRq + REISUB That’s: Alt + Print Screen (SysRq key) + type R E I S U B slowly. It safely unmounts disks and reboots — better than holding the power button. ⚙️ How to Prevent Future Fr...
Read more

Android Realm Starter Code

 This is MainViewModel.kt package com.example.first import androidx.compose.runtime.getValue import androidx.compose.runtime.mutableStateOf import androidx.compose.runtime.setValue import androidx.lifecycle.ViewModel import androidx.lifecycle. viewModelScope import com.example.first.models.Address import com.example.first.models.Course import com.example.first.models.Teacher import io.realm.kotlin.ext.query import kotlinx.coroutines.flow.SharingStarted import kotlinx.coroutines.flow.map import kotlinx.coroutines.flow.stateIn import kotlinx.coroutines.launch class MainViewModel: ViewModel() { private val realm = MyApp. realm val courses = realm . query <Course>( ) .asFlow() . map { results -> results. list . toList () } . stateIn ( viewModelScope , SharingStarted.WhileSubscribed(), emptyList () ) var courseDetails : Course? by mutableStateOf ( null ) p...
Read more