HTTP & AUTH

Question 1

What is multipart upload and how do you use it?

Answer 1

Multipart upload chunks files to the server and is great for sending media

Question 2

What is JWT PoP, why do you use and how does it work?

Answer 2

• PoP stands for Proof of Possession. Regular JWTs (Bearer Tokens) are prone to theft, meaning anyone who steals the token can use it. PoP helps prevent bots, replay attacks, and unauthorized API usage.
• PoP proves that the client possesses the private key by signing each API request.
• The server verifies the signature using the corresponding public key stored in the JWT’s cnf.jwk claim.
• Private keys are stored on backend and oauth2 is used to authenticate

Question 3

What is a nonce?

Answer 3

A number used once. This can prevent replay attacks by aadding a nonce for each call.

these are typically signed by the private key.

Question 4

How do we ensure zero trust & high security auth

Answer 4

Use Oauth2 + pop with a client-stored private key.

Use short lived oauth2 tokens and rotate pop private keys often.

If an attacker steals private key and oauth2 token they will have until one of the above changes to impersonate the user.

Can also use device fingerprinting to identify devices

Question 5

Discuss Attack and Mitigation Flow

Answer 5

.

📌 Breakdown of the Attack & Mitigation Flow
1️⃣ User logs into an OAuth2 provider (Google, Facebook, etc.)
2️⃣ OAuth2 provider issues an OAuth2 access token to the client
3️⃣ Client uses its private PoP key to sign API requests
4️⃣ API server verifies both the OAuth2 token and PoP signature