Reputation: 149
JSON Web Token (JWT) Security
I'm using Node.js, MySQL and JSON Web Tokens to build an api.
My JWT looks like this:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlcyI6WyJsb2dnZWRfaW4iLCJhZG1pbiJdLCJpZCI6NzEsImlhdCI6MTQ1OTQ0NjU5MCwiZXhwIjoxNDU5NTMyOTkwfQ.BBbdyFMztYkXlhcBjW6D5SsKxtaRiZJqiNShOroQmhk
and its claims decode to:
{"roles":["logged_in","admin"],"id":71,"iat":1459446590,"exp":1459532990}
When an api endpoint receives that JWT, is it safer to call the User table with id 71 to get any pertinent details or to use the id from the JWT?
Ideally we would save a lot of calls to the User table, but is there a security threat? Couldn't a malicious user change that id or a role before calling the endpoint?
Upvotes: 2
Views: 612
Answers (1)
Reputation: 1944
JWT is signed. If a user changes anything on the payload, the signature validation will fail and you will know the data was tampered with.
That being said, the data itself is not encrypted. You can use a user ID -- but do not add sensitive information besides what could be public.
More about JWT verification and lifecycle:
https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback
Upvotes: 5
Related Questions
- JWT refresh token flow
- Invalidating JSON Web Tokens
- How to decode jwt token in javascript without using a library?
- Using Node.js as a simple web server
- If you can decode JWT, how are they secure?
- JWT (JSON Web Token) automatic prolongation of expiration
- What are the main differences between JWT and OAuth authentication?
- JWT (java) : roles in my token is not considered by HTTP-Request with error 403
- JWT authentication for ASP.NET Web API