Concern around session token - jwt_secret field

Hi balena,
Love the product and keeping it free for 10 devices is awesome!

I’m concerned with the jwt session token. I see jwt_secret as part of the jwt and the alg is HS256 rather than RS256.
If my session jwt becomes compromised, what’s stopping someone from forging a new jwt with that “jwt_secret” value and updating the expiry etc.?
Wondering what the reasoning behind including jwt_secret and HS256 was?

Admittedly, I haven’t had a chance to try forging a new token to see what would happen. Thought I’d raise it just incase.

@rhysjtevans good stuff digging into our JWT structure! The jwt_secret value in our tokens is not actually the secret used to sign the tokens but an extra random identifier that we store per user. Specifically, we rotate this value whenever you do a “Signout from all sessions” to immediatelly invalidate any existing tokens.

I admit it could use a better name. Naming things is hard

Makes sense now :slight_smile: any plans to move to RS256 alg?

We don’t have plans to move to RS256, because we don’t have a use case at the moment where asymmetric cryptography would give us any benefit. Like where different systems would need to validate this token.