yangou · November 1, 2018 21:06
diff --git a/Requirements b/Requirements
 ### Browser based

 1. Always use https
 2. Account has multiple users and groups.
 3. Groups are used to management permission over various resources.
 4. Login with username and password, and a access token is granted to client.
 5. Access token is valid with a reasonable amount of time, e.g. 24hrs. 
 6. Access token is carried over cross multiple browser sessions.
 7. Have a way to revoke the granted token.
 8. Avoid Cross Origin API's
 8. Avoid CSRF and XSS.
    XSS  Cross Site Scripting:  Embedded scripts, 3rd party javascript libraries, etc can achieve XSS and obtain the token.
    CSRF  Cross Site Request Forgery: Malicious website embedding request to the target site, triggers cookies carrying target sites’ token to be sent, and performed harmful action on user’s behalf. (Even if HttpOnly flag is turned on.)   HttpOnly + Secure flags on cookies are essential.
    (stored in session or local storage can result in XSS while storing it in cookies can result in CSRF.)
    Where to store JWT token?  https://auth0.com/docs/security/store-tokens.
    
    Solution: 
    1. Use a CSRF token and an Access Token. CSRF token is saved in session/local storage(accessible from javascript) and access token is stored in cookie .
    1. Store token in cookie, set Secure, HttpOnly, SameSite flag on cookie.
    2. Check HTTP Referer and Origin Headers.
    3. Include logged in claim, and expire based on logged in claim.
    4. Implement sliding windown expiration on each request, if neccessary.
    
    
    When submitting requests, both csrf token and access tokens are submitted. 
    Having a valid CSRF token means this request comes from the same origin(the origin for the frontend app), because only from the same origin, can javascript read from the local storage or session.
    Having a valid Access token means in cookie, means the request is made back to the log-in server.
    So the frontend origin and backend origin can be different in this sense.
    In backend, still check for Origin/Referrer.
	### Browser based

	1. Always use https
	2. Account has multiple users and groups.
	3. Groups are used to management permission over various resources.
	4. Login with username and password, and a access token is granted to client.
	5. Access token is valid with a reasonable amount of time, e.g. 24hrs.
	6. Access token is carried over cross multiple browser sessions.
	7. Have a way to revoke the granted token.
	8. Avoid Cross Origin API's
	8. Avoid CSRF and XSS.
	XSS Cross Site Scripting: Embedded scripts, 3rd party javascript libraries, etc can achieve XSS and obtain the token.
	CSRF Cross Site Request Forgery: Malicious website embedding request to the target site, triggers cookies carrying target sites’ token to be sent, and performed harmful action on user’s behalf. (Even if HttpOnly flag is turned on.) HttpOnly + Secure flags on cookies are essential.
	(stored in session or local storage can result in XSS while storing it in cookies can result in CSRF.)
	Where to store JWT token? https://auth0.com/docs/security/store-tokens.

	Solution:
	1. Use a CSRF token and an Access Token. CSRF token is saved in session/local storage(accessible from javascript) and access token is stored in cookie .
	1. Store token in cookie, set Secure, HttpOnly, SameSite flag on cookie.
	2. Check HTTP Referer and Origin Headers.
	3. Include logged in claim, and expire based on logged in claim.
	4. Implement sliding windown expiration on each request, if neccessary.


	When submitting requests, both csrf token and access tokens are submitted.
	Having a valid CSRF token means this request comes from the same origin(the origin for the frontend app), because only from the same origin, can javascript read from the local storage or session.
	Having a valid Access token means in cookie, means the request is made back to the log-in server.
	So the frontend origin and backend origin can be different in this sense.
	In backend, still check for Origin/Referrer.