In an ideal world, the private key should be stored in an HSM, preventing exfiltration. However, even assuming an HSM, the current scheme doesn't protect against malicious actors pre-signing requests on the client and exfiltrating those requests.
This library adds more defense-in-depth, making it harder to attack sessions, but not impossible.
This library adds more defense-in-depth, making it harder to attack sessions, but not impossible.