Jotting JWTs

20 points

You'll need to write a simple app capable of receiving POST requests, validating JWT tokens and storing some trivial data between requests.

Grab a jwt_secret from the problem endpoint. Configure your app to use it for validating all incoming JWTs. POST your app_url to the solution endpoint.

What happens now is as follows:

  • our server will send a few requests to your app
  • they will all be POST requests with a JWT token as body (path will always be /)
  • the token's payload will contain a key named append set to a string
  • starting with an empty string, append whatever your receive for every valid request
  • after some time, you'll receive a token without the append key inside - when this happens, respond with a simple JSON object with the solution key set to whatever you got after appending all the strings received
  • grab points if constructed string matches what we were expecting

Once you grab a jwt_secret, you have 5 seconds to submit an app_url to the solution endpoint.

Getting the problem set

GET /challenges/jotting_jwts/problem?access_token=...

Problem JSON will be in the following format:

  • jwt_secret: the JWT secret used to sign the tokens

Submitting a solution

POST /challenges/jotting_jwts/solve?access_token=...

Solution JSON structure:

  • app_url: the URL of your app, which we will flood with JWTs

Why this challenge?

Well, there's a certain beauty to JWTs, most of it thanks to their simplicity. But the idea came from an interview where the interviewee, despite quite a lot of experience had no intuitive understanding of that JWTs are and how they work. I figured this would make an interesting topic for a challenge and maybe give you an excuse to read more into these babies.

You too can support h^ by buying me a coffee. Cheers!
Also, I'd love to hear from you. Whatever you got, drop me an email. My h^ profile is here.