How is security achieved with JWT encoding?

Question

Lets say I create a token like so:

def create_token(userId):
    payload = {
        # subject
        'sub': userId,
        #issued at
        'iat': datetime.utcnow(),
        #expiry
        'exp': datetime.utcnow() + timedelta(days=1)
    }

    token = jwt.encode(payload, SECRET_KEY, algorithm='HS256')
    return token.decode('unicode_escape')

Node socket.io

io.sockets
    .on('connection', socketioJwt.authorize({
        secret: 'SOME SECRET',
        timeout: 15000
    }))
    .on('authenticated', function(socket) {
        console.log('hello! ', socket.decoded_token);

        socket.on('message', function(message) {
            console.log(message);
            io.emit('message', message);
        });
    })
    .on('error', function(error) {
        console.log(error.type);
        console.log(error.code);
    });

Now I'll be using the user id to identify users who send messages once authenticated. How safe is this method of identifying which users have sent the messages? What would it take to forge a token and impersonate a user? Just knowing the secret key? What methods can be used to hack this form of security? How can I ensure this chosen method of security is secure?

Answer 1

A JWT has the format XXXXX.YYYYY.ZZZZZ where XXXX is header info YYYYY is the payload ZZZZZ is a hash of the payload with your security key.

Since the JWT is only Base64 encoded, anyone can decode the JWT and view the payload. If they change a value, however, the payload will not hash to the same value as ZZZZZ so the token will become invalid. This method makes the token safe from tampering (as long as no one else has the security key used to sign the token). However, since anyone can read the token, any sensitive data that should not be viewable should either not be included in the payload, or encrypted.

To forge the token, or tamper with it and change the userid, a hacker would need your security key.