USB token for Java Desktop Application

I would like to integrate the use of a USB token in a JavaFX application that my customers use on a computer I send them. This JavaFX application interacts with a Java/Spring back end. (client-id/secret) I need this secure element for a few reasons, but mainly because I want to avoid the situation where a user would clone the application into an other computer and use two occurrences at the same time.

Is there a way to integrate the secure element without interfering with the current client/server communication ? Basically I would rather not change anything to my Spring back end, and integrate this authentication method separately. I started my research and I am thinking of hosting a WebAuthn server and make my app communicate with it. What do you think about that way of doing ? Thanks a lot for your help !

for anti-CSRF, isn’t a session id cookie in a hidden form field easier than a random token?

I sometimes run into sites with CSRF bugs and I want to know the simplest way to recommend for the developer to fix it. (i.e., if I tell them “Switch to a framework that has anti-CSRF protection”, they won’t listen.)

Anecdotally, it looks like most sites mitigate CSRF by including a random token as a hidden form field, and then rejecting the form submission of the token isn’t present. (And it usually looks hand-crafted, not inserted by the framework.)

I’m wondering why it isn’t much simpler (and hence, much more common practice) to do “double-submit cookie” — where you take the session id cookie and put it in a hidden form field, and then reject the form submission if the hidden field value doesn’t match the session id cookie.

First, the problems with the “random token” approach, if your framework doesn’t have it built-in: You have to generate a random value and store it server-side, and in your storage table it must be associated with the user it was served to. When the form is posted, you have to check that the value is there, check it’s associated with the logged-in user, and then delete it so it can’t be re-used. If you screw up any part of this, you’ve potentially created a security hole. And, you might need to create a new database table for your tokens, which is just more cruft. (Yes, I know you can do it using hashes and secret values, but that’s also error-prone.)

By contrast, consider the ease of using the session cookie. (You don’t want to use an authentication cookie, because if the authentication cookie is stored in a hidden form field, an xss bug might be able to read it. But session-id cookie is probably safe.) ALL you have to do is store it in a hidden form field, and then check the value when the form is submitted.

So, I contend that IF the website in question has a framework that uses session cookies, I can tell them that the easiest way to fix it is by using double-submit-cookie with the “session-id” cookie, and to ignore all the webpages which usually start out by talking about how to protection against CSRF by using random tokens.

Am I missing something? Does double-submit-cookie have some disadvantage?

Algorithm for token replacement game

I’m having problems finding an algorithm to the following problem:

A and B take turns replacing a number $ n$ of tokens with either $ floor((n+1)/2)$ or $ n-1$ . The player who makes one token remain wins. We want to know, if there is a way for B to win the game no matter the moves of A. A begins the game.

My idea is the following:

Is n = 1 -> No way for B to win the game

We try all moves of first A then B and check for 1 -> There is a way for B to win

But this does not incorporate the “no matter the moves of A” criteria.

Do best practices eliminate the need for a CSRF token when writing an API server?

I realize that OWASP recommends CSRF tokens but I rarely see them used with public standalone HTTP APIs. This would seem to indicate that they’re not always necessary.

To make this a little more concrete, I would envision the following scenario:

  • The API server serves a limited number of frontends with an explicit CORS whitelist.

  • HTTP method semantics are followed religiously (no writes in GET).

  • All routes require authentication.

  • All POST routes require a request body[1].

  • All routes that take a request body require a JSON content-type header.

  • Cookies are httpOnly but not sameSite.

Based on my understanding of SOP setting a JSON content-type header on requests should trigger a preflight request which would fail for untrusted origins. If all POST routes require a JSON content-type header, that should then mean they’ll always fail the preflight, leaving only GET requests.

So this would not mitigate CSRF attacks against GET routes but as these can’t be used for exfiltration (as SOP prevents the response from being read) and the GET routes should not cause any data modification, guarding these requests with CSRF tokens would not appear to make a practical difference.

Given how viciously some people defend CSRF tokens, I can’t shake the feeling I’m overlooking an obvious problem here. I realize redundant protections may be valuable in their own right, but what I’m trying to understand is whether in the scenario described the CSRF token would really be redundant or not.


[1]: I realise this might be a practical limitation of this approach as in some real-world APIs there are legitimate POST routes that don’t take a request body or there may be routes that need to take a content-type like form-data that won’t trigger a preflight.

How can I have a Token with a Macro on Click

I would like to add a token (legend button) to the world overview, which allows to click another token and show a description of the place.

So far I have created a token (A), which has a token macro (as a character-sheet ability):

&{template:default} {{name=@{target|Select a Location|token_name}}} {{@{target|Select a Location|bar1} [Click Here To Learn More](@{target|Select a Location|bar1|max})}} 

On the map I have Tokens (B) with the link to a handout in bar1_max.

This allows the players to click token B (which, they do not have control on) and to show a text in the chat, which when clicked shows a handout.

My current token is working the following way: click LegendButton (token A), click token action (in token macro bar), click location (token B), click link in chat-window → open handout with location description.

Questions:

  • Can I have the same, but when clicking the token B to show the Handout (no longer showing the link in the chat and having to do this additional click)?
  • Can I have token A to activate a macro onClick, so that the players do not have select the token and then to click the macrobar action (I am not a paid customer at roll20)?

does a non-terminated string count as a token in c?

so, I am preparing for an exam which includes lexical analysis from compiler design. I was wondering what is the number of tokens in the following code-

int main() {   /* comment   printf("Hello */ There ");*/   return 0; } 

so, I am thinking upto first “*/” it will be a multiline comment, so, after “there” a string will start without terminating. will the last string is counted as a token?

OpenID Connect with Authorization code flow and PKCE – How shoud we get a new access token in a SPA application?

As answered in this question, Single Page Applications shouldn’t be given a refresh token with the OIDC Authorization Code Flow.

Can you indicate some way of getting a new access token when it expires (without interrupting the SPA UX state (no redirects…)?

If the use refresh tokens were the only solutions, what are the ways we can minimize the risk of leakeage? E.g: is storing it in the browser’s session storage safe enough? Do IdPs provide a some form of refresh_token expiration, etc.

JWT Bear token question

I am implementing a stateless rest API and I have a question about a design decision that I am in the midst of making, so I am hoping some of you auth experts can help me out.

I created a centralized auth server using primarily NodeJs, Express and Mongo which I intend to use from two separate applications which share this auth server. I have register, login, route guards in place and working perfectly as far as I can tell.

I am wondering if I can do the following to invalidate a user session individually without changing any secret keys or hitting the dB at all:

User logs in with password user or OAUTH source -> auth server returns jwt with 30 min lifetime to the client to be passed in with each authenticated subsequent request to the resource server which checks the validity and parsed the claims in order to provide a session less user context to the application.

Let’s say a user gets set to inactive due to say fraud – we need access to this account to be removed even though the session is still active as per JWT signaturel/ claims and makes a request and will be allowed to do so unless restrictions are put in place. My point is to avoid storing session tokens in the dB at all and still be able to instantly invalidate a users request based on the token, without hitting the users collection to check for status active with each validated request.

My though is to mimic the refresh token, but instead of sending it as a refresh token, over write the bearer token which I send in every response if a valid request is made within 5 min of token timeout and the user input requests a sessions extension. This way no polling has to be done, the token just gets Its life extended and the user never has to log out because it will happen automatically, no blacklist of tokens in dB needed this way either. I plan on implementing a UI component to warn of timeout before refreshing the token. Is there anything wrong with this approach? What’s the point of a refresh token when I can just replace the auth header with an extended lifetime version of itself? Thanks for helping clear this up for me and anyone else confused by this aspect.

Seems my options are:

  1. Use a short lifetime on the token, refresh valid request incrementally each time and warn the user if they are about to expire so they can be issued a new extended exp token lifespan.

Con: whatever time is left in the tokens exp from when it expires the user is still able to access the system even if they get deleted, set to inactive etc.

  1. Store all auth tokens in the dB, check a blacklist before permitting access (or just check the dB for user.active since if I have to do a lookup to validate the blacklist approach I guess which ever is most efficient would get the job done.

Why are refresh tokens different than regular access tokens? I see refresh tokens typically have much longer lifespans than access tokens why is that? Why not just extend the lifetime of the token when a request comes though and overwrite the existing bearer token sent to the cleaner from. The auth api then from the client back to the resource server? This way you could shut any account down within the time of the exp, meaning if the user doesn’t make an authenticated request in n hours or minutes, expire the token… otherwise keep refreshing or ask if the want to refresh. This doesn’t feel like a big risk to leave a 30 min window where a restricted user can stilll access the system given the type of app I am developing but I really would love some feedback on the best possible way to do this.

Custom header to avoid CSRF attacks? header without token

I found that a website protects itself of CSRF attacks by validating the POST request contains a specific header:

-Example-header: GF 

What i find strange is that this header doesn’t have a csrf token in it, it is just a custom header with a 2 letters value that validates the POST request.

When i try to add it in the HXR request it executes as OPTIONS instead of POST and the attack fails. is there any way to bypass this? i find this kind of stupid because why other websites implementing a personal large token in the custom header, if by adding a simple header with a short value the requests preflights???

The html and javascript was made with burp suite professional and it worked, but then adding the special header preflights the request.

Are the trade offs for putting an auth token in an http-only cookie for an SPA worth it?

I’ve been building a web app (rails api + react SPA) for learning / fun and have been researching authentication. The most commonly recommended approach for authenticating SPAs that I have read is to put the auth token (such as a JWT) in a secure HTTP-only cookie to protect from XSS. This seems to have a couple of consequences:

  • We now have to handle CSRF since we are using cookie authentication
  • Since it’s an SPA we can’t protect against CSRF until the user is logged in, which means we are vulnerable to a login phishing attach (https://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks)

But what is the real downside to just storing the auth token in browser storage (i.e. session storage)? XSS becomes slightly more convenient for the attacker? Even with an HTTP-only cookie the attacker can still use the auth token by making requests directly from the site, because if there’s a XSS vulnerability then they don’t need to be able to read the token to use it.

It seems that the popular recommendation just makes things more complicated to protect against CSRF just to make things a little more difficult for the attacker in the case of XSS. Due to the amount of resources making these recommendations I feel like I am missing something and would appreciate any feedback or clarifications!

Here is a couple of sources I’ve been reading that have been quite adamant against browser storage for auth tokens:

  • https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html
  • https://jwt.io/introduction/
  • https://auth0.com/docs/security/store-tokens