29 lines
1.2 KiB
Markdown
29 lines
1.2 KiB
Markdown
# Secure JWT Endpoints with Backend Token
|
|
|
|
**ID:** ADM-001
|
|
**Priority:** Critical
|
|
**Status:** Planned
|
|
|
|
## User Story
|
|
As a platform administrator, I want JWT-related endpoints to be secured with backend token validation so that only authorized services can access sensitive security operations.
|
|
|
|
## Acceptance Criteria
|
|
- [ ] Public key endpoint requires valid backend token
|
|
- [ ] JWT blocklist endpoint requires valid backend token
|
|
- [ ] Backend tokens are securely generated and distributed
|
|
- [ ] Token validation is performed on every request
|
|
- [ ] Invalid/missing token returns 401 Unauthorized
|
|
- [ ] Tokens can be rotated without service interruption
|
|
- [ ] Audit log for all backend token usage
|
|
|
|
## Technical Notes
|
|
- Two TODOs exist for backend token validation in JwtManager
|
|
- `getPublicKeyForValidation` and `pushOrGetJwtIdBlocklist` need protection
|
|
- Backend token should be separate from user JWT
|
|
- Consider service-to-service authentication pattern
|
|
- Environment variable for backend token configuration
|
|
|
|
## Related TODOs
|
|
- `ts/reception/classes.jwtmanager.ts:40` - `// TODO control backend token`
|
|
- `ts/reception/classes.jwtmanager.ts:52` - `// TODO control backend token`
|