I’m working on a test bot to understand the API and I have a question about authentication and JWT validation.
As far as I can see, the way to authenticate is to call the /user/login endpoint with valid credentials which will return a JWT. All is good except the JWT payload. I see that it contains iat but nothing about expiry (exp).
Now, I wanted to use the JWT for multiple requests, but that’s difficult if I cannot figure out when the token expires. What is the best way to be sure about the validity of a JWT before using it. Should I get a new JWT before every operation, is that the intended behavior? Or maybe I misunderstand the way authentication works with Lemmy?
Edit: I asked this on Lemmy Development channel a few days ago and apparently someone has created an issue in Github. So, perhaps this will be addressed in a later update.
It doesn’t look very good, no. It would be good to bring Lemmy to OAut2.1 where the self-contained token with a sensible lifetime is passed in the Authentication header. Currently it’s either passed in the URL (GET) or in the model (PUT/POST).
I have some OAuth experience, but I’m not a Rust developer. So, I thought of offering some help regarding design and testing of an OAuth mechanism, but since I cannot really contribute to implementation, that may not be that much of a help. Also, this kind of a change will break at least some of the existing clients. I don’t know if the core team would be willing to make such a change.