Reputation: 3082
Some basic questions about JWT (server and client side)
I'm using express.js, passport with jwt strategy and of course jsonwebtoken for node.js.
So, currently, I've managed to implement a server-side logic, which enables users to login and returns the jwt token.
After that, when I do a get request with the corresponding token in the header, it correctly verifies the jwt token and display the info. The code is as follows:
var jwt = require('jsonwebtoken');
function createToken(user) {
return jwt.sign(user, 'shhhhh', {
issuer: "accounts.examplesoft.com"
});
}
var opts = {};
opts.secretOrKey = 'shhhhh';
opts.issuer = "accounts.examplesoft.com";
passport.use(new JwtStrategy(opts, function(jwt_payload, done) {
console.log(jwt_payload);
User.findById(jwt_payload.id, function(err, user) {
if (err) {
return done(err, false);
}
if (user) {
done(null, user);
} else {
done(null, false);
}
});
}));
app.post('/jwt_login', function(req, res) {
User._loginJwt({
email: req.body.email,
password: req.body.password
}, function(err, user) {
if (err) res.json(err);
else res.json(createToken(user));
});
});
app.get('/jwt_test', passport.authenticate('jwt', {
session: false
}), function(req, res) {
res.json(true);
});
Now I'm trying to do a client-side page. I'm using angularjs and there are a lot of jwt libraries for angularjs or rather, client side in general. Now I have a series of questions:
- First and foremost, is the server-side implement correctly (from what you can tell by the code above)?
- Is it safe if I store the jwt token in localStorage (on client-side)?
- Why are there so many libraries available for jwt client side? Isn't it enough to get the token and then call the requests with that token? What else could I do with that token on the client side?
- Can't somebody just copy the jwt token from the localStorage and make requests as if they're logged in? Isn't that a security issue?
Thanks for your responses!
Upvotes: 0
Views: 842
Answers (1)
Reputation: 14987
- The server-side implementation looks fine, though the claims in the token could be expanded. Just always authenticate the token and you're good.
- Yes. That's part of why JWT is useful. If the user alters the token, it will not match its signature and will fail authentication.
- From what I recall, the client-side stuff is for when you pass data in the payload that is used on the client. You want to be able to authenticate the token on that side as well then, so your front-end doesn't do anything it shouldn't.
a. If you just have a RESTful API that validates requests with the token, you don't have to do anything with the JWT on the front-end besides sending it with requests. - Yes. That's why your token should include an expiration in its claims. Keep in mind, the only way that gets into LocalStorage is if they logged in to begin with.
See here for claims that can be in your token:
http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#rfc.section.4
Upvotes: 2
Related Questions
- Doubts on Authentication Techniques - Passport
- Questions regarding JWT
- Angular 4 jwt authentication
- ExpressJS - JWT and Passport Implementation
- ExpressJS / Angular 2 JWT Tokens
- JWT Authentication & Authorization
- Concerned about JWT security
- authentication using passport jwt
- Setting up passport-jwt authentication
- Using Passport for Authentication of API Endpoints