datatracker | WIP experimental project to make for a better ML | Machine Learning library

You actually don't need to store every refresh token ever made. You only need a list of used tokens to check if the one your user is trying to refresh is being reused, and since your refresh tokens should have an expiry time just like your access tokens, you also don't need to store tokens, even used ones, for longer than their lifespan.

• If a user tries to use a valid refresh token: It's not expired and not in your used tokens list. Good to go!
• If a user tries to use an expired token: It's expired so no need to worry about reuse, no need to check your database for used tokens.
• If a user tries to reuse a valid refresh token: It's in your list.

So while it does scale with the number of users, it's stable over time and won't blow out of proportion (on the condition that you do purge old tokens).

There are other things to consider. As mentioned in this other auth0 post, in case of a reuse, you want to invalidate the whole token family and not just deny access to the one user that reused a token (it might be the legitimate user). Then again, you don't need to store every token from the token family to keep track of what needs to be invalidated: You just need to add a family identifier to your tokens, mark that family identifier itself as invalid in case of a reuse, and deny future refresh attempts if they belong to an invalidated family. The list of invalidated families can be purged as well of all family identifiers invalidated for longer than your refresh tokens lifespan.

On the server request side of things, refresh tokens should be a net performance gain compared to other authorisation means like API keys or HTTP basic authentication, since for every refresh tokens you have to emit, you're also getting 20 minutes worth of requests for which you won't have to query the database to check if the API key is still valid, or if the password provided is the right one (especially since good password hashing functions like bcrypt are slow on purpose).

You could try to loop over your array inside the template and generate a p tag for every element of the array. This way there is no need to edit your main array in go.

Template:

PKCE ensures that the party who started the login is also completing it, and there are two main variations that I'll summarise below in terms of Single Page Apps (SPA).

PUBLIC CLIENTS

Consider a Single Page App that runs a code flow implemented only in Javascript. This would store a code verifier in session storage during the OpenID Connect redirect. Upon return to the app after login, this would be sent, along with the authorization code and state to the Authorization Server.

This would return tokens to the browser. If there was a Cross Site Scripting vulnerability, the flow could be abused. In particular the malicious code could spin up a hidden iframe and use prompt=none to get tokens silently.

CONFIDENTIAL CLIENTS

Therefore the current best practice for Single Page Apps is to use a Backend for Frontend (BFF), and never return tokens to the browser. In this model it is more natural for the BFF to operate like a traditional OpenID Connect website, where both the state and code_verifier are stored in a login cookie that lasts for the duration of the sign-in process.

If there was a Cross Site Scripting vulnerability, then session riding is possible by the malicious code, to send the authorization code to the BFF and complete a login. However, this would just result in writing secure cookies that the browser cannot access. Similarly, the hidden iframe hack would also only rewrite cookies.

The code_verifier could alternatively be stored in session storage and sent from the browser to the BFF, but it would be easy enough for malicious code to grab it and also send it to the server. This does not really change the risks, and the key point is that no tokens should be returned to the browser. It is OK to use secondary security values in the browser, as long as you can justify them, eg for security reviewers. Generally though it is easier to explain if secure values are in secure cookies and less visible to Javascript.

FURTHER INFO

Best practices often vary depending on the customer use case, and at Curity we provide resources for customers (and general readers) to explain secure design patterns. These are based on security standards and we translate them to customer use cases. You may find our recent SPA Security Whitepaper useful.

3 Chunks. For each chunk respond with 100 Continue

That is not how Expect: 100-Continue works. Your server code is completely wrong for what you are attempting to do. In fact, your server code is completely wrong for an HTTP server in general. It is not even attempting to parse the HTTP protocol at all. Not the HTTP headers, not the HTTP chunks, nothing. Is there a reason why you are not using an actual HTTP server implementation, such as Java's own HttpServer?

When using Expect: 100-Continue, the client is required to send ONLY the request headers, and then STOP AND WAIT a few seconds to see if the server sends a 100 response or not:

• If the server responds with 100, the client can then finish the request by sending the request body, and then receive a final response.

• If the server responds with anything other than 100, the client can fail its operation immediately without sending the request body at all.

• If no response is received, the client can finish the request by sending the request body and receive the final response.

The whole point of Expect: 100-Continue is for a client to ask for permission before sending a large request body. If the server doesn't want the body (ie, the headers describe unsatisfactory conditions, etc), the client doesn't have to waste effort and bandwidth to send a request body that will just be rejected.

HttpURLConnection has built-in support for handling 100 responses, but see How to wait for Expect 100-continue response in Java using HttpURLConnection for caveats. Also see JDK-8012625: Incorrect handling of HTTP/1.1 " Expect: 100-continue " in HttpURLConnection.

But, your server code as shown needs a major rewrite to handle HTTP properly, let alone handle chunked requests properly.

It's located here: https://datatracker.ietf.org/doc/html/rfc7643#section-8.7.1

For the emails scenario you described, the easiest approach would be to only allow one type(work, other..) and reject any request without a type or with a disallowed type.

You can read answer at ffmpeg libav-user mail list

Passing Range header in RTSP PLAY

Each peer should send WDR (both client and server) every X seconds. Usually there is a configuration to adjust how much time to wait between WDRs. (It does not have to be the same time in the client and in the server)

Preload is a big commitment. It will effectively be hardcoded into a browser’s code. Given it takes several months at a minimum to roll out new version, it’s basically irreversible.

Also as it’s down at the domain level, mistakes have been made. For example preloading domain.com but covering that blog.domain.com, or intranet.domain.com have not been upgraded to HTTPS. At this point your options are 1) upgrade side to HTTPS and live with zero users to the site until the or 2) reverse the preload and wait the months for that to roll out to all browsers and deal with zero users until then.

HTTPS is much more common now, so the risks are reduced but when HSTS preload first came out, these were real risks.

Therefore the preload attribute was a signal that the site owner was ready for that commitment. It also prevent someone else submitting a site that wasn’t using this header (whether maliciously or with good, but misguided, intentions).

You are correct in that it doesn’t “do” anything in the browser.

There was also talk of checking if the preload header was still being sent, and if not removing the preload but not sure if that’s done.

You can use a string as pseudo-array with separator like :, that obviously isn't a part of domain name.