Hacker News new | ask | show | jobs
by jteppinette 2314 days ago
Stakeholder: “so you are saying that after a user is denied access they can still access the resources?” Dev: “yes, but only for 15 minutes. Also, it makes our system more simple and decreases database calls, increase performance, ...” Stakeholder: “nope”
6 comments
bearjaws 2314 days ago
Meanwhile on sales call with Microsoft:

"Authentication takes a few minutes to replicate throughout our systems so a SLO request should be resolved within a few minutes". Stakeholder: Ok sounds good

link
tracker1 2314 days ago
+1 on this... it can be up to a 30 minute lag in some orgs... oh, you have access to those systems for a while until things sync up... similar for LDAP/AD sync with Nix/windows.
link
to11mtm 2314 days ago
Which makes sense when I think about how some of the more trigger happy orgs made a point of shutting peoples accounts of as they were being walked into a room...
link
spookthesunset 2314 days ago
For parts of the site where you need to boot somebody instantly... just hit up the authentication server on every request to validate the session. For parts of the site where it doesn’t matter so much, wait for the token to expire....

It isn’t all or nothing.

link
gorgonian 2314 days ago
I did exactly this on the last implementation of JWT I did. Common actions wouldn’t hit the database if the token was less than an hour old, but actions like changing email address or password would always check the database.
link
user5994461 2313 days ago
This just made me realize. There is an even simpler way to achieve the same result without a database.

The token includes the time when it was created (iat attribute) so critical actions could check that the token is less than 3 minutes old.

link
gorgonian 2313 days ago
Yeah that’s what I did, with iat info. But I did that for every request, and critical actions always hit the db.
link
throwaway3157 2314 days ago
I actually have this conversation a lot, and the answer is usually "okay" and rarely "nope". Stakeholders have to weigh many more pros and cons.
link
tracker1 2314 days ago
Usually in one of those scenarios, you will try to hold, say a fired employee for that long in order to deactivate all their accounts and access anyway... in reality it's not much of an increased risk...

You still could blacklist, but realistically most areas don't need a dedicated revocation check. Some critical areas might, depending on the space.

link
toyg 2314 days ago
Authentication and authorization are different things, if the latter is done properly a bit of waiting for the former is no biggie.
link
schnable 2314 days ago
This tradeoff comes up all the time on highly scaled systems, and stakeholders rarely if ever say "nope" in my experience.
link