Is this security scheme using passwords, short-lived access JWTs, and long-lived refresh tokens a good way to secure a REST API?

I’m trying to secure a REST API that I’m using as a backend for a single-page application. The API provides access to read/create/modify/delete protected resources, based on a set of permissions managed by an administrator. What I’m thinking is the following:

  • All connections must be over HTTPS; plain HTTP requests will be redirected to HTTPS.
  • Users have a username and password, which they create.
  • A client submits a username/password to a /login route; if it’s a valid password for that user, the server will return a short-lived access token and a long-lived refresh token.
    • The access token will be a signed JWT that identifies the user and has an expiration time.
    • The refresh token will be a GUID corresponding to a row in a database table; this row will store the user ID
  • When accessing protected routes (everything but /login), an access token will be required. The server will verify the signature, and if valid, will check the expiration time. If the token is not expired, the user ID will be made available to server-side code for authorization logic.
  • If the access token is expired, the client will automatically submit the refresh token to a /refresh endpoint for requesting a new access token. The server will check the database; if a corresponding row still exists, a new access token will be returned to the client.

Does this scheme sound secure?

Using OAuth2 with JWT, should a client pass along unused refresh tokens on a logout call?

I have a system with an OAuth2 authorization server. It hands out JWT access tokens and refresh tokens (the latter only to the mobile app client).

We don’t persist access tokens (as is normal with JWT) but we do persist the (hashed) refresh tokens together with some meta data to be able to revoke them so that users can log out other devices. We also only allow a single use for refresh tokens, the new request also gives back a new refresh token.

The OAuth2 login server itself uses regular basic auth with sessions. The user wants to be able to logout (single devices/clients) here. So of course I have to invalidate the session itself. But ideally I want to remove the refresh token that this client still has as well. The problem is that I don’t know that refresh token. A particular user could in theory have request multiple of them with their code request. The refresh token is also not normally passed in requests (only the access token)

Should I ask the clients (which are currently all under our own development) to send along their unused refresh tokens? Even if they ‘forget’ their refresh tokens locally, it still seems better if I also delete them on the server so they don’t linger around until their expiry time. Note I do know all the refresh tokens currently in use for a certain account but I don’t want to just delete them all because that would mean all devices are logged out. We also save some user agent-like info with the refresh tokens so users can use that to manually logout other devices, but it seems like a bad idea to try to perform string matching on those to automate that process.

Update / refresh mini cart, after custom AJAX add_to_cart event

I need help

In my custom single-product.php template, I added the button

public function AddToCartButton() {     global $  product;      if($  product->is_type('variable') || $  product->get_stock_status() !== 'instock') {         $  disabled_btn_class = 'btn-am--disabled';     } else {         $  disabled_btn_class = '';     }      $  echo = '<form class="cart single-product-cart" method="post" action="woocommerce_ajax_add_to_cart" enctype="multipart/form-data">';     $  echo .= '<button type="submit" class="single_add_to_cart_button button alt btn-am btn-am--red '. $  disabled_btn_class .'" data-url="'. admin_url("admin-ajax.php").'"> ' . esc_html( $  product->single_add_to_cart_text() ) .'</button>';     $  echo .= '<input type="hidden" name="add-to-cart" value="'. absint( $  product->get_id() ) .'" />';     $  echo .= '<input type="hidden" name="product_id" value="'. absint( $  product->get_id() ) .'" />';     $  echo .= '<input type="hidden" name="quantity" value="1" />';     $  echo .= '<input type="hidden" name="variation_id" class="variation_id" value="0" />';     $  echo .= '</form>';      return $  echo; } 

Custom AJAX call

public function __construct() {     add_action('wp_ajax_woocommerce_ajax_add_to_cart', [$  this, 'ajax_add_to_cart']);     add_action('wp_ajax_nopriv_woocommerce_ajax_add_to_cart', [$  this, 'ajax_add_to_cart']); }  function ajax_add_to_cart() {     $  product_id         = apply_filters('woocommerce_add_to_cart_product_id', absint($  _POST['product_id']));     $  quantity           = empty($  _POST['quantity']) ? 1 : wc_stock_amount($  _POST['quantity']);     $  variation_id       = absint($  _POST['variation_id']);     $  passed_validation  = apply_filters('woocommerce_add_to_cart_validation', true, $  product_id, $  quantity);     $  product_status     = get_post_status($  product_id);      if ($  passed_validation && WC()->cart->add_to_cart($  product_id, $  quantity, $  variation_id) && 'publish' === $  product_status) {          do_action('woocommerce_ajax_added_to_cart', $  product_id);          if ('yes' === get_option('woocommerce_cart_redirect_after_add')) {             wc_add_to_cart_message(array($  product_id => $  quantity), true);         }      } else {          $  data = array(             'error' => true,             'product_url' => apply_filters('woocommerce_cart_redirect_after_error', get_permalink($  product_id), $  product_id));          echo wp_send_json($  data);     }      wp_die(); } 

This code works, and if refresh page, item added to cart, but this not work with hook woocommerce_add_to_cart_fragments

And in my functions.php I have this code for refresh update cart

add_filter( 'woocommerce_add_to_cart_fragments', 'wc_mini_cart_ajax_refresh' ); function wc_mini_cart_ajax_refresh( $  fragments ) { $  fragments['#mcart-stotal'] = '<div id="mcart-stotal" class="mini-cart-footer__total">'.WC()->cart->get_cart_subtotal().'</div>'; ob_start(); echo '<div id="mcart-widget">'; woocommerce_mini_cart(); echo '</div>'; $  fragments['#mcart-widget'] = ob_get_clean();  return $  fragments; 

}

And this hook works fine, but not for my custom AJAX button, why this happen?

AMD Ryzen 5 3400G on Linux Ubuntu 18.04 (not work at 60 Hz refresh rate)

I just bought the new 3400G (AMD Ryzen 5 3400G with Radeon Vega Graphics) and I have problem with 60 Hz refresh configuration. With 30 Hz all works ok but when I put 60Hz on refresh rate at 3840×2160 the hdmi signal randomly dissapear and then reappear, or it show some ghost lines on the tv randomly…

My actual kernel and ubuntu version:

➜  default uname -a    Linux L-G580 5.0.0-31-generic #33~18.04.1-Ubuntu SMP Tue Oct 1 10:20:39 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux ➜  default lsb_release -a    No LSB modules are available.    Distributor ID:  Ubuntu    Description: Ubuntu 18.04.3 LTS    Release: 18.04    Codename: bionic   06:00.0 VGA compatible controller [0300]: Advanced Micro Devices, Inc. [AMD/ATI] Picasso [1002:15d8] (rev c8) (prog-if 00 [VGA controller])  glxinfo | grep OpenGL OpenGL vendor string: X.Org OpenGL renderer string: AMD RAVEN (DRM 3.27.0, 5.0.0-31-generic, LLVM 8.0.0) OpenGL core profile version string: 4.5 (Core Profile) Mesa 19.0.8 OpenGL core profile shading language version string: 4.50 OpenGL core profile context flags: (none) OpenGL core profile profile mask: core profile OpenGL core profile extensions: OpenGL version string: 4.5 (Compatibility Profile) Mesa 19.0.8 OpenGL shading language version string: 4.50 OpenGL context flags: (none) OpenGL profile mask: compatibility profile OpenGL extensions: OpenGL ES profile version string: OpenGL ES 3.2 Mesa 19.0.8 OpenGL ES profile shading language version string: OpenGL ES GLSL ES 3.20 OpenGL ES profile extensions: 

I appreciate any help…. Thank You.

[19.04]Can’t change the refresh rate, am I too dumb?

equipped and read-capable humans, (and I hope write-capable too)

When I want to run some demanding games on my laptop, I normally switch the refresh rate to 40Hz, so that with VSync on, I can run at lower framerate and with no tearing as well.

However, while it works pretty well on Windows, I’ve not been able to do the same on my Ubuntu 19.04. I’ve tried a few things already, with no success. Each time, it behaves like it worked (no error message and xrandr command saying the active mode is 40Hz), but I can tell nothing has changed, since the game still runs at 60fps VSynced and cursor movement is as smooth as before. To make things more simple, I disabled the Nvidia dGPU with the “prime-select intel” command, and test with the glxgears program, that runs vsynched and windowed.

What I tried :

1) Changing the refresh rate from the GNOME preferences

2) Changing the refresh rate with xrandr (xrandr --output eDP-1 --mode 1920x1080 --rate 40)

3) Creating a custom 40Hz mode, and switch to that mode with xrandr (I take the modeline from cvt)

4) Opening a Wayland session and changing the refresh rate from the GNOME preferences

5) adding video=1920×1080@40 to the kernel command line, and retrying 1, 2, 3 and 4 in that configuration

Hardware : CPU : i7-4710MQ (Intel HD Graphics 4600), dGPU : Nvidia GTX 880M, RAM : 16 GiB

xrandr output :

~$   xrandr Screen 0: minimum 320 x 200, current 1920 x 1080, maximum 8192 x 8192 eDP-1 connected primary 1920x1080+0+0 (normal left inverted right x axis y axis) 382mm x 215mm    1920x1080     60.01*+  60.01    59.97    59.96    59.93    40.01      1680x1050     59.95    59.88      1600x1024     60.17      1400x1050     59.98      1600x900      59.99    59.94    59.95    59.82      1280x1024     60.02      1440x900      59.89      1400x900      59.96    59.88      1280x960      60.00      1440x810      60.00    59.97      1368x768      59.88    59.85      1360x768      59.80    59.96      1280x800      59.99    59.97    59.81    59.91      1152x864      60.00      1280x720      60.00    59.99    59.86    59.74      1024x768      60.04    60.00      960x720       60.00      928x696       60.05      896x672       60.01      1024x576      59.95    59.96    59.90    59.82      960x600       59.93    60.00      960x540       59.96    59.99    59.63    59.82      800x600       60.00    60.32    56.25      840x525       60.01    59.88      864x486       59.92    59.57      800x512       60.17      700x525       59.98      800x450       59.95    59.82      640x512       60.02      720x450       59.89      700x450       59.96    59.88      640x480       60.00    59.94      720x405       59.51    58.99      684x384       59.88    59.85      680x384       59.80    59.96      640x400       59.88    59.98      576x432       60.06      640x360       59.86    59.83    59.84    59.32      512x384       60.00      512x288       60.00    59.92      480x270       59.63    59.82      400x300       60.32    56.34      432x243       59.92    59.57      320x240       60.05      360x202       59.51    59.13      320x180       59.84    59.32   DP-1 disconnected (normal left inverted right x axis y axis) HDMI-1 disconnected (normal left inverted right x axis y axis) HDMI-2 disconnected (normal left inverted right x axis y axis) DP-2 disconnected (normal left inverted right x axis y axis) HDMI-3 disconnected (normal left inverted right x axis y axis) 

Current Xorg log

Assistance in this matter is welcome, even if that means proving that I am, indeed, dumb.

The benefit of JWT refresh token if authorization and resource server are merged?

Is there any benefit in using refresh tokens if your auth and resource server are combined?

I understand the benefit when they are separate: The refresh token is never sent to the resource server, but if they are not is there any?

Without the refresh tokens, the access tokens could still be refreshed the same, but is there some additional benefit of still using separate refresh tokens?

SPFX property pane changing on page refresh

I have added few controls to property pane, I have few labels which get updated on button click as shown in below image.

enter image description here

But once the page is refreshed, the label values are lost as I am using an array to update these fields which gets empty on page refresh.

Code:-

PropertyPaneLabel('linkLabel1', {  text: array[0] }) 

Other fields values exists after page refresh also but label values are lost. So what is the right way of doing this?

How do I refresh the file cache after a change from within Windows

I’m using Ubuntu on Windows. I find it extremly convinient that I can drag files from the Windows desktop to a Ubuntu folder.

However, it requires several restarts of Ubuntu or a long time period until Ubuntu refresh the files until I have view them in Ubuntu, for example by using “ls -la”..

How could I force Ubuntu to refresh the file cache so that it recognizes the file changes?

Thank you!