(twitter.com)

475 points danielstocks | 1 comments | 27 May 21 10:28 UTC | HN request time: 0s | source

Show context

mavster ◴[27 May 21 13:50 UTC] No.27303085[source]▶

I'm just guessing, but...

"developer gets a great idea - let's push an update to the API as a GET request so we can cache this on the CDN... forgetting that the JWT token is potentially returned in the call. Now, whoever makes the call first gets their JWT token stored for everyone else to load instead when the API call is made."

Ta-da, Klarna.

replies(10): >>27303554 #>>27303645 #>>27303782 #>>27303857 #>>27303919 #>>27304192 #>>27304408 #>>27304728 #>>27305016 #>>27305863 #

iratewizard ◴[27 May 21 14:59 UTC] No.27303919[source]▶

>>27303085 #

To get around this, one could include the request IP address in the JWT and required a refresh token to be sent when the user's IP switches.

replies(2): >>27304007 #>>27304896 #

remram ◴[27 May 21 16:26 UTC] No.27304896[source]▶

>>27303919 #

In this context, this would just prevent everybody from logging in. The JWT would correctly get rejected but people would still be getting the wrong token from the CDN over and over.

replies(1): >>27307787 #

1. iratewizard ◴[27 May 21 20:16 UTC] No.27307787[source]▶

>>27304896 #

Which would you rather? The situation you just described or users accidentally spoofing each other's session?

↑

Klarna users are being signed in to random accounts