Generate new AccessToken each time user update his Information

im building a PWA app , where i implemented jwt token to auth users.

i have 2 main architecture problems ,but let me introduce you what im building .

i’m Building application that is all about dog lovers , this application is to post lost dogs, post dogs for an adoption , for dog owners to find a good dog services around them like vets and dog walkers etc

in my application you are registering with Facebook or Google,

in my application any user can open up services , if you are a dog walker you can easily open up a service fill in some basic stuff and people all around can find this new service .

i got [ auth , user , chat , association , dog , haircut, review , store , trainer , vet ,walker ] = micro services

i am planing to run it on Aws Ecs.

1st problem : JTW stay Outdated if i dont talk to Auth service and Re generate token for a user .

if user register new vet service, i must return him also a new access Token , or else his JWT token will be outdated with his old information that will not has that information about the newly created service.

right now im letting the micro services to talk between them and i really dont like this idea because i can easily get lost with debugging and logging them.

this is how creating new service look now

*each microservice holds in his ENV the key to read the JWT

User >

walkerService (creating new service) userService (updating User property “services” field with the new services pointer id) user object has “services” object inside , its has arrays that hold pointers to serviceDb authService (generating new updated access Token)

so what now ? each time user will do update or create service i should return new JWT ?

i can fix it using API GATEWAY , but …

2nd problem

if i create an api micro service, Api gateway , and move some of the logic into there i feel like im back into a monolith app , in api gateway i can do all stuff related to auth and actually remove the auth service at all , i can “bypass” the problem of direct talk between micro services because i can await for each micro service to finish his task before continue to the next task of the next micro service .

but then the api gateway become more logical and less simple like he should be with just auth , some throttle and routing around micro services…

For example , When in front end if you are watch a post of adoption ,

you actually looking at a document from the “dog” services , but , there also a field of owner (giving private name of the person who actually post this),

in the dog document i have for example the owner id

“dh83db34u9f” : { ownerId: “d236d8g2d83d4”, dogName: “Maya”, dogAge: “Etc..” }

so , before i return this document from the dog service , i also need to attach it the name of the owner so i need to ask from the “user” the public info for this user

and only then , combine this 2 into 1 object and Response to the Call…

i believe this api gateway shouldn’t do stuff like that , so i wonder should i create new service just for “crud” / “actions” ?

Is SQL injection still a bad thing if the user is restricted to non-harmful queries?

Suppose I have a very simple PHP application that acts as a front-end for an SQL database. The user enters their query into a box, and the app shows the query results in a table.

To prevent a user from modifying the table, the SQL user only has permissions for read-only queries, i.e. if a user tries to enter something like DELETE * FROM persons or DROP TABLE persons into the textbox, they get an error.

Is it still considered “bad form” if this web app is vulnerable to SQL injection, given that the intended use of the app is for the user to be able to execute their own (read-only) SQL queries on the database?

How can I stop an authorized user from consuming all the bandwidth on my home network?

Me and my neighbours share a home network managed by me, paid for by the land lord.

This person overloads the bandwidth on the regular, jitter spikes up to the 300s,down speed fluctuates, overall shit time.

Can’t get rid of them/ block them from the network, inspite having admin access.

Is it possible to restrict their access to bandwidth/stop them from screwing the internet up for the other users?

Note:I have a second router at my disposal, Accountant by trade, little network knowledge but highly motivated.

Can global adversaries ‘de-anonymize’ any TOR user in a day?

Tor traffic correlation attacks by global adversaries

I know what traffic correlation attack is but I find it hard to understand this article or how it got to its conclusions about ‘de-anonymize’ ‘typical web user’ who use TOR within a day just with the ability to monitor enough web traffic. I also don’t get how dark markets and child porn still exists on onion sites if all it takes is a little bit of cooperation to de-anonymize everyone?, The article is from 2013 so the governments had a long time to do it.

At the end all what the ‘global adversaries’ can see is traffic volume and timing(that is affected by some timing noise) right? so if you are just a typical web user who just connected few times(lets say 5 times) to an average website/webpage with an average size of 700kb who said that you are one of the few TOR users who visited a website/webpage in this size 5 times around the time you did it?. I am missing something here?.

Gutenberg Featured-Image-panel missing when user with custom role edits Custom Post Type

For a WordPress project I made a Custom Post Type in the usual manner. Also i made a custom role. I want users with that role to be able to make, edit and delete this CPT. I added the apropriate capabilities to this role. These are the caps:

'level_1' => true, // seems necessary to asign this author as a post_author by other users 'read' => true, 'view_admin_dashboard' => true, 'upload_files' => true, 'publish_{my_cpts}' => true, 'edit_{my_cpts}' => true, 'edit_others_{my_cpts}' => false, 'delete_{my_cpts}' => true, 'delete_others_{my_cpts}' => false, 'read_private_{my_cpts}' => true, 'edit_{my_cpt}' => true, 'delete_{my_cpt}' => true, 'read_{my_cpt}' => true 

I map these capabilities also in the args for adding the cpt. Upon making the CPT, I did not forget to add ‘thumbnail’ to the ‘supports’ argument. And i added theme-support for thumbnails, also for my cpt

However, i don’t want users with this role to be able to edit ordinary posts.

I think i don’t need to provide more details on this because everything works fine.

Except for the featured image panel in Gutenberg. This panel seems to display only if a user has the edit_posts capability, which my users don’t have. The panel shows for other users, it only remains hidden for users with my custom role.

For now, I made a workaround with an ACF-image field. Images uploaded with this custom field I make the featured-image in a save_post hook.

But this is a workaround, I prefer the usual panel. Any suggestions? I find this an unusual hard nut to crack.

Should I generate a lot of random serial keys and pick one for each registration or generate 1 for each user?

I’m talking about Online activation. My current workflow is:

  1. User pays via paypal (without registration)
  2. Paypal performs a request to my API.
  3. My API returns a serial key to the user.
  4. Then the user is able to register using this serial key.

Is a “pay to register then use” and not a “register then pay to use”.

So the question is:

  • Should I generate (let’s say 100) keys and store them in DB then pick the first one available when someone pays via paypal? Isn’t this vulnerable to “guess” attacks?
  • Should I generate 1 random key each time a user pays via paypal? Can’t this approach generate 2 equal keys? I mean I have no info from the user except what paypal tells me so I should somehow use a random function OR loop the entire table comparing the serial keys.

Combining User Context in Machine-2-Machine OAuth2 Client Credential Flow

I have a REST API that is used by 2 separate application and is authenticating them by M2M OAuth2 Client Credential Flow.

enter image description here

One of the two application is an automation service without user context. The second one is a REST API where users authenticate with OAuth2 Implicit Flow.

Now I need to include the user context in my common REST API too, since some information should only be shared to certain users.

What is a secure strategy to implement that scenario with OAuth2? I thought I could just include the user (or a fixed string in case of the automation service) into the Access Token of the Client Credential Flow but that doesn’t seem possible.