For JWT Token:
Best Practices :
- Rate Limiting
- Access & Refresh token
- Exponential Backoff
- Token Blacklist / Rotation Strategy
- hashed passwords (Argon2)
What if Token get stole ??
solution - Use access & Refresh Token
If someone change password on one device then what about others ??
solution - Invalidate all sessions when password is changed
**
Login - Rate Limiting Strategy
**
Layer 1: IP-based limiting (prevents brute force from single source)
Layer 2: Username/Email-based limiting (protects specific accounts)
Layer 3: Progressive penalties with exponential backoff
IP-based limiting ->
Token Bucket
Key: IP address
Value: { tokens, last_refill_timestamp }
so we have decided to start with
Token : 10
1 token every 6 second
For new user
no entry exist for IP so create one
IP : { tokens: 10, last_refill_timestamp: 1:00 }
user made a request
IP : { tokens: 9, last_refill_timestamp: 1:00 }
Now within 3 sec user has used all 10 tokens
for his 11 request at 1:03
count tokens using last_refill_timestamp
current_time - last_refill_timestamp = 3sec
No of new Tokens = 3/6 = 0;
as Total Tokens are 0 return 429(Too Many Request)
at 7second user made a new request so calculate token
and refill it update last_refill_timestamp.
Top comments (0)