Hello after a bit of reading not much I admit I m not sure w Prisma #prisma-whats-new

Hello, after a bit of reading (not much, I admit!)...

picosam

03/19/2018, 3:16 PM

Hello, after a bit of reading (not much, I admit!) I’m not sure whether or not

prisma token

generates a “permanent” HS256 token that never expires (equivalent to Graphcool Framework’s PAT) or… not!?

lawjolla

03/19/2018, 3:36 PM

I didn't know the answer, but it's a good question! So here's what I did to figure it out. JWT payloads are readable, so I stuck my prisma token into JWT.io and the iat (issued at) was March 13 and the exp is March 20. So they do expire after a week.

nilan

03/19/2018, 4:06 PM

I can confirm 🙂 But you can mint your own tokens with custom expiry @picosam, which is different to GCF. On the other hand, there is no way to "revoke" a token, so creating one with long duration needs to be done with double care.

lawjolla

03/19/2018, 4:09 PM

Changing the secret revokes the token, right? (And obviously kills all tokens in the process)

nilan

03/19/2018, 4:10 PM

That's correct.

James

03/19/2018, 4:21 PM

nilan you can revoke JWT tokens by storing it in a db on the server whenever you issue new ones. Then you can lookup

nilan

03/19/2018, 4:22 PM

@lawjolla one more comment,

secret

prisma.yml

is actually a comma separated list, so you can reroll secrets without loss of connection @James yup, that's right 🙂 But no such system is employed for Prisma tokens.

👍 1

lawjolla

03/19/2018, 4:38 PM

But by using a db, you lose the entire point of a JWT. That's fine if you don't need or what the efficiency of trusted claims. I think Auth0 has it right. Give a long term idToken with an accessToken that expires every hour or so, and make the client reup the accesstoken. That minimizes the revoking problem

👍 1

picosam

03/19/2018, 7:59 PM

Thank you all, I’m back after dinner 😛 I second what @lawjolla says indeed.

picosam

03/19/2018, 8:02 PM

@nilan what library do you currently use to generate a JWT token when we run

prisma token

lawjolla

03/19/2018, 8:05 PM

It should be in the CLI. I'll take a look

picosam

03/19/2018, 8:06 PM

I saw

"jwt-decode": "^2.2.0"

but I thought that couldn’t be it

picosam

03/19/2018, 8:07 PM

Ah, I think it’s indeed there:

"jsonwebtoken": "^8.1.0"

lawjolla

03/19/2018, 8:09 PM

Nice! And for an easter egg, reading the source code yielded prisma token -c copies it to the clipboard!

picosam

03/19/2018, 8:09 PM

LOL, cool! May you tell me which file you found the command in?

lawjolla

03/19/2018, 8:10 PM

I was looking here: https://github.com/graphcool/prisma/blob/c65e76293b49b29f5d81d54f54e93e9e286bf5f9/cli/packages/prisma-cli-core/src/commands/token/token.ts But it looks like it gets the token encode/decode from

Command

picosam

03/19/2018, 8:13 PM

I’ll try and regenerate it using this guide: https://github.com/graphcool/prisma/blob/d20b3674e241c2068f6560ca20cf908f667def61/docs/1.4/04-Reference/03-Prisma-API/02-Concepts.md

2 Views

Open in Slack

Previous Next