What you have ended up implementing is basically using the JWT which is a pretty standard pattern when you don't want the data to be modified and a way for consumers to verify the data is not tempered (e.g. OAuth 2.0 tokens). You can probably look more how it is used in OAuth world to improve your implementation (rotating private key)
Sort of. In fact, JWT is used in the application for authentication. We store data about the user in the token, and we make a request to the API with the token in the headers to get information about his access-level. The endpoint verifies the signature, decodes the data, does some processing, and spits back the information we want.
The problem is that it still relies on the backend to verify the signature (does it not? Legit question, this is how I learned it). Since the attacker can change the information that is coming back from the API, he could just make it say "yup, das legit bro, he is an admin", and be allowed in pages he wasn't supposed to be in, even if this only gives him very limited access to actual data.
Still, the guys upstairs did not like this, and I was tasked with fixing it.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
What you have ended up implementing is basically using the JWT which is a pretty standard pattern when you don't want the data to be modified and a way for consumers to verify the data is not tempered (e.g. OAuth 2.0 tokens). You can probably look more how it is used in OAuth world to improve your implementation (rotating private key)
Sort of. In fact, JWT is used in the application for authentication. We store data about the user in the token, and we make a request to the API with the token in the headers to get information about his access-level. The endpoint verifies the signature, decodes the data, does some processing, and spits back the information we want.
The problem is that it still relies on the backend to verify the signature (does it not? Legit question, this is how I learned it). Since the attacker can change the information that is coming back from the API, he could just make it say "yup, das legit bro, he is an admin", and be allowed in pages he wasn't supposed to be in, even if this only gives him very limited access to actual data.
Still, the guys upstairs did not like this, and I was tasked with fixing it.