idp.global/app
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2ad751ecbad6a9339f717b958d13f6f08acfb3f9
app/stories/admin/ADM-001-backend-token-security.md
T
jkunz 014fb3080a add stories
2025-11-30 15:01:28 +00:00

1.2 KiB
Raw Blame History

Secure JWT Endpoints with Backend Token

ID: ADM-001 Priority: Critical Status: Planned

User Story

As a platform administrator, I want JWT-related endpoints to be secured with backend token validation so that only authorized services can access sensitive security operations.

Acceptance Criteria

  • Public key endpoint requires valid backend token
  • JWT blocklist endpoint requires valid backend token
  • Backend tokens are securely generated and distributed
  • Token validation is performed on every request
  • Invalid/missing token returns 401 Unauthorized
  • Tokens can be rotated without service interruption
  • Audit log for all backend token usage

Technical Notes

  • Two TODOs exist for backend token validation in JwtManager
  • getPublicKeyForValidation and pushOrGetJwtIdBlocklist need protection
  • Backend token should be separate from user JWT
  • Consider service-to-service authentication pattern
  • Environment variable for backend token configuration

Related TODOs

  • ts/reception/classes.jwtmanager.ts:40 - // TODO control backend token
  • ts/reception/classes.jwtmanager.ts:52 - // TODO control backend token
Reference in New Issue View Git Blame Copy Permalink