Can I/How can I build a JWT (JSON Web Token) authorized API on Anvil?
I’m aware of the http endpoint APIs on Anvil, but there are security issues with that framework (http endpoint APIs as a class) being open to so-called middleman attack.
So how about a genuine JWT-authorized REST API on Anvil?
Q1. Possible?
Q2. How?
I’m aware of the http endpoint APIs on Anvil, but there are security issues with that framework (middleman attack).
Erm…not that we’re aware of! We didn’t have any issues of this sort turn up in our last penetration test, but if you know of a viable attack against Anvil’s HTTP endpoints, please do send details to security@anvil.works, and we’ll get on it immediately.
Having said which, there’s no reason you can’t use JWT authentication for your HTTP endpoints. You’d have to assemble it from hand (extract the JWT from anvil.server.request.headers, load it into pyjwt or a similar library – I’d suggest the Secrets service for storing your private keys – and then decide whether to permit the request).
Do be careful, though, if you’re thinking of using JWT. JWT is secure when used 100% correctly, but it’s notoriously easy to get wrong and create a security hole.
Sorry Meredydd, I meant http endpoint APIs as a class have that problem according to my sources. Also our enterprise partner doesn’t want to send user/pass for each and every call. JWT is a minimum for them.
Thnx.
I’m not expert in security, and after reading this post I started reading about MITM and JWT.
I found this article interesting and I thought it would be worth mentioning it here.
Thanks.
That may be true, although, read the comments section too (JWT plus https is considered impenetrable by one commenter), and, most importantly, all modern, commercial APIs I have used use JWT as a minimum (ie they’re not https endpoints) and, besides, my enterprise partner is happy with JWT.
Also read this which supports JWT as of intermediate security between endpoints & OAuth2:
https://nordicapis.com/3-common-methods-api-authentication-explained/