@Grim
I code, therefore I am.
Nothing here yet.
No blogs yet.
So how do you pass data between your functions? Using objects? BAM! You're using object orientated programming again (encapsulation). All I'm seeing in this article is somebody who's had to work on badly designed abstractions and then claim functional to the rescue without saying how functional solves all of his problems (probably because it doesn't)
There are four ways modern applications generally authenticate ... outsource your authentication to an Oauth-like provider and hope they don't get compromised, keep a session per user (which is horrible for scaling unless your load balancer can send all the requests from that user to the same server), generating a token and keeping it in some sort of database and authenticating each request against that database (this is my preferred way of building authentication, all components can be built stateless without sessions and it scales well) and lastly building a complicated token that contains all the authentication details, it's the same as the previous one, except that the token is not stored in the database and your backend has to decrypt the token to validate if it's a valid token The only problem I have the last way of authentication is that if somebody figures out how to re-create your tokens, they can log in with any any account whereas with the third way, you generate a secure-GUID which is completely random and unless you can match that random token, you can't login.
If you are using node-jsonwebtoken, pyjwt, namshi/jose, php-jwt or jsjwt with asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512) please update to the latest version. See jwt.io for more information on the vulnerable libraries. (Updated 2015-04-20) This is a guest post from Tim McLean, who is a member of the Auth0 Security Researcher Hall of Fame. Tim normally blogs at www.timmclean.net. https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ For implementations, see http://jwt.io/ I would personally stay away from JWT except for pet projects, HTTP-only + Secure cookies have been around for a long time, have been tried and tested, had their vulnerabilities fixed whereas JWT might still have plenty of flaws in it to be discovered.