mastodontech.de ist einer von vielen unabhängigen Mastodon-Servern, mit dem du dich im Fediverse beteiligen kannst.
Offen für alle (über 16) und bereitgestellt von Markus'Blog

Serverstatistik:

1,5 Tsd.
aktive Profile

#jwt

2 Beiträge2 Beteiligte1 Beitrag heute
𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕<p>JWTs Are Not Session Tokens , Stop Using Them Like One</p><p>When JSON Web Tokens (JWTs) hit the mainstream, they were hailed as the solution to everything wrong with session management. Stateless! Compact! Tamper-proof! Suddenly, everyone started stuffing them into every web app like ketchup on bad code.</p><p>🧑‍💻 <a href="https://archive.fo/01UkP" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">archive.fo/01UkP</span><span class="invisible"></span></a></p><p><a href="https://chaos.social/tags/json" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>json</span></a> <a href="https://chaos.social/tags/jwt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt</span></a> <a href="https://chaos.social/tags/webdev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>webdev</span></a> <a href="https://chaos.social/tags/token" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>token</span></a> <a href="https://chaos.social/tags/web" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>web</span></a> <a href="https://chaos.social/tags/code" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>code</span></a> <a href="https://chaos.social/tags/bad" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bad</span></a> <a href="https://chaos.social/tags/badcode" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>badcode</span></a> <a href="https://chaos.social/tags/WebTokens" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebTokens</span></a> <a href="https://chaos.social/tags/ketchup" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ketchup</span></a></p>
BeyondMachines :verified:<p>There is only one correct pronunciation of <a href="https://infosec.exchange/tags/JWT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JWT</span></a></p>
Kushal Das :python: :tor:<p>Slowly moving the brain to play <a href="https://toots.dgplug.org/tags/JWT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JWT</span></a> <a href="https://toots.dgplug.org/tags/JWT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JWT</span></a> in the background. Next few weeks will be into the land of JWTs via both <a href="https://toots.dgplug.org/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rust</span></a> and <a href="https://toots.dgplug.org/tags/python" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>python</span></a>.</p>
Jobs for Developers<p>SoundHound is hiring Senior Software Engineer</p><p>🔧 <a href="https://mastodon.world/tags/java" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>java</span></a> <a href="https://mastodon.world/tags/javascript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>javascript</span></a> <a href="https://mastodon.world/tags/typescript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>typescript</span></a> <a href="https://mastodon.world/tags/react" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>react</span></a> <a href="https://mastodon.world/tags/springframework" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>springframework</span></a> <a href="https://mastodon.world/tags/api" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>api</span></a> <a href="https://mastodon.world/tags/hibernate" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hibernate</span></a> <a href="https://mastodon.world/tags/aws" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>aws</span></a> <a href="https://mastodon.world/tags/azure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>azure</span></a> <a href="https://mastodon.world/tags/cicd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cicd</span></a> <a href="https://mastodon.world/tags/docker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>docker</span></a> <a href="https://mastodon.world/tags/gcp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>gcp</span></a> <a href="https://mastodon.world/tags/jwt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt</span></a> <a href="https://mastodon.world/tags/kafka" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>kafka</span></a> <a href="https://mastodon.world/tags/kubernetes" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>kubernetes</span></a> <a href="https://mastodon.world/tags/mysql" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>mysql</span></a> <a href="https://mastodon.world/tags/redis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>redis</span></a> <a href="https://mastodon.world/tags/seniorengineer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>seniorengineer</span></a><br>🌎 Bengaluru, India<br>⏰ Full-time<br>🏢 SoundHound</p><p>Job details <a href="https://jobsfordevelopers.com/jobs/senior-software-engineer-at-soundhound-com-jun-9-2025-bb0adc?utm_source=mastodon.world&amp;utm_medium=social&amp;utm_campaign=posting" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">jobsfordevelopers.com/jobs/sen</span><span class="invisible">ior-software-engineer-at-soundhound-com-jun-9-2025-bb0adc?utm_source=mastodon.world&amp;utm_medium=social&amp;utm_campaign=posting</span></a><br><a href="https://mastodon.world/tags/jobalert" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jobalert</span></a> <a href="https://mastodon.world/tags/jobsearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jobsearch</span></a> <a href="https://mastodon.world/tags/hiring" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hiring</span></a></p>
Mariusz<p>Day 7<br>✅ 24 test suites, 153 tests passing.</p><p>Solid coverage across service and controller layers in my modular monorepo. Strict typing (TypeScript), full DTO validation, and realistic mocks across complex relations (TypeORM).</p><p>Next: fine-tuning error handling &amp; exploring e2e strategies.</p><p><a href="https://write.as/bmariusz/24-test-suites-153-tests-passing-scaling-confidence-with-every-assertion" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">write.as/bmariusz/24-test-suit</span><span class="invisible">es-153-tests-passing-scaling-confidence-with-every-assertion</span></a></p><p><a href="https://techhub.social/tags/TypeScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TypeScript</span></a> <a href="https://techhub.social/tags/NestJS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NestJS</span></a> <a href="https://techhub.social/tags/Nextjs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Nextjs</span></a> <a href="https://techhub.social/tags/InsuranceTech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InsuranceTech</span></a> <a href="https://techhub.social/tags/Microservices" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microservices</span></a> <a href="https://techhub.social/tags/monorepo" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>monorepo</span></a> <a href="https://techhub.social/tags/rbac" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rbac</span></a> <a href="https://techhub.social/tags/codingdays" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>codingdays</span></a> <a href="https://techhub.social/tags/swagger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>swagger</span></a> <a href="https://techhub.social/tags/jwt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt</span></a> <a href="https://techhub.social/tags/jwt_auth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt_auth</span></a> <a href="https://techhub.social/tags/programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>programming</span></a></p>
Bèr Kessels 🐝 🚐 🏄 🌱<p>I've been working on and with <a href="https://mastodon.nl/tags/JWT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JWT</span></a> in authorization and authentication contexts a lot recently. </p><p>This ecosystem is a mess, especially in the <a href="https://mastodon.nl/tags/javascript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>javascript</span></a> corner.<br>A significant portion of implementations don't even verify the tokens they get. They just presume it's from some trusted server. It's dead easy to forge that.</p><p>Then, many more do verify, but use libraries full of features. A self-signed jwt is valid and verified. But not from e.g. the auth server you expect.</p><p>1/3</p>
Mariusz<p>Day 6<br>TL;DR: Groups, memberships, hierarchy — all dynamic now.</p><p>Released backend v0.3.0 🎉</p><p>✅ Users can belong to multiple groups with typed roles <br>✅ Groups can form hierarchical or overlapping structures <br>✅ Roles are normalized via reference types</p><p>Built with NestJS + TypeORM. Documented via Swagger.</p><p><a href="https://write.as/bmariusz/building-a-flexible-group-structure-with-nestjs-and-typeorm" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">write.as/bmariusz/building-a-f</span><span class="invisible">lexible-group-structure-with-nestjs-and-typeorm</span></a></p><p><a href="https://techhub.social/tags/TypeScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TypeScript</span></a> <a href="https://techhub.social/tags/NestJS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NestJS</span></a> <a href="https://techhub.social/tags/Nextjs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Nextjs</span></a> <a href="https://techhub.social/tags/InsuranceTech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InsuranceTech</span></a> <a href="https://techhub.social/tags/Microservices" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microservices</span></a> <a href="https://techhub.social/tags/monorepo" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>monorepo</span></a> <a href="https://techhub.social/tags/rbac" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rbac</span></a> <a href="https://techhub.social/tags/codingdays" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>codingdays</span></a> <a href="https://techhub.social/tags/swagger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>swagger</span></a> <a href="https://techhub.social/tags/jwt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt</span></a> <a href="https://techhub.social/tags/jwt_auth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt_auth</span></a> <a href="https://techhub.social/tags/programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>programming</span></a></p>
Mariusz<p>Day 5<br>TL;DR: Continued work on backend security — role-based access is now fully wired up.</p><p>✅ Got fine-grained role-based access control fully working today.</p><p>• Roles loaded from PostgreSQL <br>• Injected into JWT during login <br>• Validated via custom `@Roles()` + `RolesGuard` <br>• Authenticated via `@UseGuards(JwtAuthGuard)` globally <br>• Introduced `@Public()` decorator to bypass guards for public endpoints <br>• Swagger supports Bearer token for testing </p><p>Took a while to get the role propagation into the token right — the key was enriching the `validateUser()` result, not just fetching data from DB.</p><p>Modular, clean, and no magic. Feels good. 👌</p><p>more on: <a href="https://write.as/bmariusz/continuation-securing-routes-with-jwt-and-role-based-access-control" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">write.as/bmariusz/continuation</span><span class="invisible">-securing-routes-with-jwt-and-role-based-access-control</span></a><br><a href="https://techhub.social/tags/CloudNative" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudNative</span></a> <a href="https://techhub.social/tags/TypeScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TypeScript</span></a> <a href="https://techhub.social/tags/NestJS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NestJS</span></a> <a href="https://techhub.social/tags/Nextjs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Nextjs</span></a> <a href="https://techhub.social/tags/InsuranceTech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InsuranceTech</span></a> <a href="https://techhub.social/tags/Microservices" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microservices</span></a> <a href="https://techhub.social/tags/monorepo" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>monorepo</span></a> <br><a href="https://techhub.social/tags/codingdays" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>codingdays</span></a> <a href="https://techhub.social/tags/swagger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>swagger</span></a> <a href="https://techhub.social/tags/jwt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt</span></a> <a href="https://techhub.social/tags/jwt_auth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt_auth</span></a> <a href="https://techhub.social/tags/programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>programming</span></a></p>
Mariusz<p>Day 4</p><p>TL;DR: Full Swagger docs + JWT auth with registration and login are live.</p><p>Today’s work focused on two key improvements.</p><p>1. Swagger documentation was extended across all API layers. DTOs, entities, and controllers were enriched with `@ApiTags`, `@ApiOperation`, `@ApiResponse`, and detailed `@ApiBody` annotations — including real-life examples for request bodies.</p><p>2. JWT-based authentication was implemented. A secure registration flow was added, with password hashing via bcrypt. A login endpoint now issues access tokens containing user ID, email, and roles. All logic is encapsulated using Passport strategies (local and JWT). The next step will be protecting routes with guards and role-based access.</p><p><a href="https://techhub.social/tags/CloudNative" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudNative</span></a> <a href="https://techhub.social/tags/TypeScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TypeScript</span></a> <a href="https://techhub.social/tags/NestJS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NestJS</span></a> <a href="https://techhub.social/tags/Nextjs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Nextjs</span></a> <a href="https://techhub.social/tags/InsuranceTech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InsuranceTech</span></a> <a href="https://techhub.social/tags/Microservices" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microservices</span></a> <a href="https://techhub.social/tags/monorepo" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>monorepo</span></a> <br><a href="https://techhub.social/tags/codingdays" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>codingdays</span></a> <a href="https://techhub.social/tags/swagger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>swagger</span></a> <a href="https://techhub.social/tags/jwt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt</span></a> <a href="https://techhub.social/tags/jwt_auth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt_auth</span></a> <a href="https://techhub.social/tags/programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>programming</span></a></p>

Several years ago, I was working on our local #OIDC identity provider at work ... part of which was looking at a #JWT (JSON Web Token) quite frequently.

Now I implemented JWT myself (from the ground up in pure #C) for #swad to make it independent of sessions.

Well, dejavu here ... even back then, I always chuckled a bit how every JWT basically says "ey ... EY!" to me 🤪 🤡 (see it? *scnr*)

Good morning! ☕

Now that I can't find any other bugs in #swad any more, I'm thinking again about how I could improve it.

Would anyone consider deploying it on a busy site right now? Either as a replacement for #Anubis (proof-of-work against bots), or for simple non-federated #authentication, or maybe even both?

I'm currently not sure how well it would scale. The reason is the design with server-side sessions, which is simple and very light-weight "on the wire", but needs server-side RAM for each and every client. It's hard to guess how this would turn out on very busy sites.

So, I'm thinking about moving to a stateless design. The obvious technical choice for that would be to issue a signed #JWT (Json Web Token), just like Anubis does it as well. This would have a few consequences though:

* OpenSSL/LibreSSL would be a hard build dependency. Right now, it's only needed if the proof-of-work checker and/or TLS support is enabled.
* You'd need an X509 certificate in any case to operate swad, even without TLS, just for signing the JWTs.
* My current CSRF-protection would stop working (it's based on random tokens stored in the session). Probably not THAT bad, the login itself doesn't need it at all, and once logged in, the only action swad supports is logout, which then COULD be spoofed, but that's more an annoyance than a security threat... 🤔
* I would *still* need some server-side RAM for each and every client to implement the rate-limits for failed logins. At least, that's not as much RAM as currently.

Any thoughts? Should I work on going (almost) "stateless"?

Studying the code of a newly scaffolded #rust #loco app. #loco raised my attention because there is a line in README.md

This is the **SaaS starter** which includes a `User` model and authentication based on JWT.

However, based on what I found for now, the received #JWT is never properly validated on the server side, so the #loco lesson on #JWT handling in #rust is rather incomplete. For truth's sake, authentication is there, but authorization is not. Now the rest is up to me.

Antwortete im Thread

@fleaz : it's not MultiMultiFactorAuthentication but 1FA max.

Assuming that you don't use those hardware keys to generate TOTP codes (which are pointless when confronted with the likes of #Evilginx2), but use WebAuthn instead (FIDO2 passkeys in hardware keys), everything depends on one factor: the domain name of the website.

1️⃣ DV-CERTS SUCK
It is not very common that certificates are issued to malicious parties, but it *does* happen now and then (infosec.exchange/@ErikvanStrat).

2️⃣ SUBDOMAINS
Furthermore, sometimes organizations have "dangling" subdomain names. For example,

test.example.com

may point to the IP-adress of some cloud server no longer used by example.com. Anyone with write access to that server may install a fake "test.example.com" website and phish you to it. It *may* be used to phish your WebAuthm credentials *if* "example.com" does not explicitly *DENY* WebAuthn from "test.example.com".

See github.com/w3ctag/design-revie for how Google prevents "sites.google.com" from authenticating to "google.com".

3️⃣ DNS HACKED
It may not be neccessary to execute BGP-hijacks to redirect network traffic to an impostor: it also all depends on how reliable DNS records are protected against unauthorized access. If the dude in charge for DNS uses a stupid password only, or the DNS provider is easily fooled into believing "I forgot my creds", it's game over. The crooks will obtain a DV-cert in no time, no questions asked, for free.

4️⃣ All the bells and whistless are moot if there's an alternative way to log in (such as by using a 1FA rescue code) and the user is fooled into providing it (after they've been lied to that their WebAithn public key on the server became corrupted or was lost otherwise).

5️⃣ Cloudflare MitM's https connections (it's not a secret: blog.cloudflare.com/password-r). The same applies to any server you log in to, which is accessible by untrustworthy personnel. They can steal your session cookie.

6️⃣ In the end MFA/2FA is a hoax anyway, because the session cookie (or JWT or whatever) is 1FA anyway.

Did I mention the risks of account lockout with hardware keys that cannot be backupped? And the mess it is to keep at least one other hardware key synchronized if it's in a vault? And the limitation of, for example, 25 WebAuthn accounts max? And (unpatcheable) vulnerabilities found in hardware keys? And their price? And how easy it is to forget or loose them?

@odr_k4tana

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)🌘DV-CERT MIS-ISSUANCE INCIDENTS🌒 🧵#3/3 Note: this list (in reverse chronological order) is probably incomplete; please respond if you know of additional incidents! 2024-07-31 "Sitting Ducks" attacks/DNS hijacks: mis-issued certificates for possibly more than 35.000 domains by Let’s Encrypt and DigiCert: https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/ (src: https://www.bleepingcomputer.com/news/security/sitting-ducks-dns-attacks-let-hackers-hijack-over-35-000-domains/) 2024-07-23 Let's Encrypt mis-issued 34 certificates,revokes 27 for dydx.exchange: see 🧵#2/3 in this series of toots 2023-11-03 jabber.ru MitMed/AitMed in German hosting center https://notes.valdikss.org.ru/jabber.ru-mitm/ 2023-11-01 KlaySwap en Celer Bridge BGP-hijacks described https://www.certik.com/resources/blog/1NHvPnvZ8EUjVVs4KZ4L8h-bgp-hijacking-how-hackers-circumvent-internet-routing-security-to-tear-the 2023-09-01 Biggest BGP Incidents/BGP-hijacks/BGP hijacks https://blog.lacnic.net/en/routing/a-brief-history-of-the-internets-biggest-bgp-incidents 2022-09-22 BGP-hijack mis-issued GoGetSSL DV certificate https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/ 2022-09-09 Celer Bridge incident analysis https://www.coinbase.com/en-nl/blog/celer-bridge-incident-analysis 2022-02-16 Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack https://www.bankinfosecurity.com/crypto-exchange-klayswap-loses-19m-after-bgp-hijack-a-18518 🌘BACKGROUND INFO🌒 2024-08-01 "Cloudflare once again comes under pressure for enabling abusive sites (Dan Goodin - Aug 1, 2024) https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/ 2018-08-15 Usenix-18: "Bamboozling Certificate Authorities with BGP" https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee Edited 2024-09-05 14:19 UTC: corrected the link for the "jabber.ru" incident. #DV #LE #LetsEncrypt #Certificates #Certs #Misissuance #Mis_issuance #Revocation #Revoked #Weaknessess #WeakCertificates #WeakAuthentication #Authentication #Impersonation #Identification #Infosec #DNS #DNSHijacks #SquareSpace #Authorization #UnauthorizedChanges #UnauthorizedModifications #DeFi #dydx_exchange #CryptoCoins
#1FA#2FA#MFA