All geek questions in one place

JWT authentication for <img> tags?

Suppose I have a one-page application that uses JWT tokens for authentication on the backend REST api. I pass the JWT token inside the http header when making a REST request. So far so good.

Now suppose I want to download an image from a server, and I want the image to be available only to authenticated users. This is not a problem on the server: just identify the route that delivers the image, and check the JWT token on that route.

But: How to transfer the token from the client to the server? If I use a regular tag <img ...>, I cannot attach the token as the http header. What should I do?

Basically I can think of adding a token, for example. base64-encoded, in the query string, but this does not seem very safe, as the marker then appears in the browser history. On the other hand, I cannot come up with a different approach without loading the images completely using JavaScript.

Any clues?

+4
source share
1 answer

If I'm thinking of Amazon S3, then you need a signed URL. Since you already suggested adding a token to the query string, it would be nice.

About security: I think this is a question of the token expiration date. Since there is no sign of token invalidation, it might be better to use signed URLs:

  • Get JWT
  • Get a signed URL with this token
  • Use this URL to extract img

URL JWT, , URL.

+1

Source: https://habr.com/ru/post/1599723/

More articles:


All Articles