Greetings,
I’m seeking validation for my Django API implementation to ensure its security. Your assistance is greatly appreciated!
Here’s the process I’ve implemented to test:
- Within my database, I have two crucial models:
- “User” with a login type (web2, web3) and nullable fields for email, first name, last name.
- “UserIdentity” with a login ID and a linked user.
- On the front-end (React), the user logs in and obtains a tokenId.
- I then send a POST request to Django with this tokenId.
- On the backend, I receive the tokenId and use JWT decoding without a key to determine if the login is from either “web2” or “web3.”
not_trusted_data = jwt.decode(token_id, key=None, options={"verify_signature": False})
login_type = 'WEB2' if not_trusted_data.get('wallets')[0].get('type') == 'web3auth_app_key' else 'WEB3'
- Subsequently, I define the URL for JWT verification based on whether it’s “web2” or “web3.”
- I decode the JWT with a public key.
client = PyJWKClient(url)
pub_key = client.get_signing_key_from_jwt(token_id).key
# Disable 'verify_aud' because the server is not the audience of openlogin; it was the client.
jwt_decoded = jwt.decode(token_id, pub_key, algorithms=["ES256"], options={'verify_aud': False})
- Next, I obtain a unique ID:
if login_type == 'WEB2':
login_id = jwt_decoded.get('verifierId')
else:
login_id = jwt_decoded.get('wallets')[0]['address']
- If I have a “UserIdentity” matching the login_id with the login_type, I log in the user.
- If I have an email matching, I log in the user and add a new “UserIdentity.”
- If I don’t have any matching data, I create a new user and “UserIdentity.”
Thank you for your time and assistance!
