From 6a443e173aaf93fd1c17312922ac2189fc30f065 Mon Sep 17 00:00:00 2001 From: ryan Date: Sun, 1 Mar 2026 12:16:36 -0500 Subject: [PATCH] Update Security --- Security.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Security.md b/Security.md index 580863c..588e9bd 100644 --- a/Security.md +++ b/Security.md @@ -1,3 +1,4 @@ +# Refresh Tokens It sounds like you have a Session Cookie issue. Even if your JWT token is valid for 30 days inside the cookie, the browser (or mobile webview) will delete that cookie the moment the "session" ends unless you explicitly tell it to save it to the hard drive. Here is why you're getting logged out and how the "big players" like Amazon stay logged in. @@ -30,3 +31,12 @@ Summary Checklist for 30-Day Login: | Protocol | Must use HTTPS for Secure cookies to persist on mobile. | | Strategy | Use a Refresh Token in a persistent cookie and a JWT in memory. | Would you like me to help you write the logic for a Refresh Token system so your app is more secure than using a single 30-day JWT? + +# Login +The problem: Right now anyone can hammer POST /auth/login or POST /auth/refresh with unlimited requests — brute-forcing passwords or tokens. + +What it would look like: + +The fix: Use flask-limiter to add per-IP rate limits: + +Why it's deferred: Requires deciding on limits, storage backend for counters (in-memory vs Redis), and how to handle legitimate users behind NAT/shared IPs. \ No newline at end of file