Do I need to verify jwt?

Question

So here is my scenario , I generated a jwt token and stored that token in redis with 1 hour TTL. Now I see most of tutorials use jwt.verify to verify the token..

I know they are verifying the token is authentic or not

Why I need to use jwt.verify.. Why can't I use redis.exists to check the token is authentic or not..

Most of them say, we can use jwt main feature is no need to use db to check the user and expiration..

But in my scenario I cant store everything in token.. So I am using redis to store the token with session information.

Questions are 1. So I should not use jwt for this kind of scenario. 2. Can I skip jwt.verify?

I am a node newbie..

Answer 1

Assuming that the Redis server is secured and you generate the JWT yourself (as seems to be the case here), you don't need to verify it. Once created, stored it in the cache and retrieve it later you don't need to verify it again because you know it could not have been tampered with in the Redis cache.

Only when receiving JWTs that are generated by 3rd parties you would need to verify that they are authentic.

If on the other hand you are distributing JWTs to 3rd-party applications and clients that you don't control then you will have to make sure that once you they are replayed back to you, they are untampered with by verifying the signature (or do a binary compare against the one stored in the Redis cache) and (when in use) checking the expiry timestamp in the exp claim.

Answer 2

JWTs can help you quickly retrieve information about the caller, without hitting a database (redis is also a database). When using JWTs used by client applications/external services you must always verify them to make sure that you are the one that generated them and they have not been tampered with.

Common info stored in the JWT are things like username, real name, group etc. In your scenario, you could use the JWT to store a redis key that holds the info that you want. It might be the case that you always will hit redis to get the info you want, so JWTs don't add a lot of value to your case, but it might be so that you could use JWTs to write smarter code that will only hit redis under certain circumstances eg. if the user has this right, or if we have stored something in redis about this user or not (missing redis key from the JWT token)

You are the only one that can evaluate your scenario and the usefulness of JWTs but don't be hasty to dismiss them, as they provide a nice perfomance/security improvement out of the box.

Answer 3

Without any verification in place, it will be possible for a 3rd party to send requests to your API and in most cases the requests will likely turn into a man-in-the-middle attack. It's good security practice to keep a record of all the tokens generated on the server and then authenticate against them with each incoming request.