Search code examples
spring-bootsecurityspring-securityapi-security

Preventing to send requests from different devices

I have a Spring Boot project with a login endpoint that generates a token for accessing other endpoints. When a user logs in from a specific device (browser or application), I want to add a security measure that prevents the generated token from being used on other devices. In other words, the token should only be valid for the device it was generated on.

For example:

User logs in from Device X and receives a token like **************. If the user tries to use the same token from Device Y or any other device, access to the endpoints should be denied. Currently, I have implemented an AllRequestFilter class to filter all requests. How can I add this device-specific security to my application?

Here are some specific requirements I have:

  • The token should be tied to the device that generated it, preventing its use on other devices.
  • The solution should work for both browser-based logins and logins from mobile applications.
  • I want to implement this security measure at the API level, rather than relying on device identification on the client side.

I would appreciate any suggestions or ideas on how to implement this device-specific security feature in my Spring Boot application. Thank you in advance!

Solution

  • I'm going to write this straight out.

    You can't.

    And you should give up on this. Just implement security in accordance to the given standards like oauth2 etc and don't try to implement something custom.

    Lets look at your requirements:

    • The token should be tied to the device that generated it, preventing its use on other devices.

    For this to work, the server needs tho know exactly who the device is at generation time and how can we guarantee that it is the device it is claiming to be? well we can't unless we start with some serious fingerprinting where we gather up a lot of data points from the device itself and store it server side. Gathering this information can be a violation of privacy and a breach of GDPR rules in Europe with very hefty fines attached.

    • The solution should work for both browser-based logins and logins from mobile applications.

    Devices can be spoofed, browsers can be spoofed. This also means that every time a user switches computer or browser you need to fingerprint them again which is highly invasive of privacy.

    • I want to implement this security measure at the API level, rather than relying on device identification on the client side.

    Your requirement here is basically impossible. So you want to ensure that something works on only a specific device, but you only want to write code server side?

    General discussion

    Anything from a client can be spoofed. That's why we have passwords, and strong cryptographic keys because that is the only thing we cannot spoof. Everything else from a client/device etc can be faked, so there is no way that you could ever have such security.

    • Passwords can be stolen, leaked
    • Devices can be spoofed
    • Certificates (mTLS) can be stolen
    • Data fingerprinting without informing customers why, and you should have very strong reason for doing it, is otherwise illegal, immoral and in violation of GDPR.

    So once again. Give up this idea. Implement oauth2 and call it a day.