falsifying a valid JWT Token

Question

After a successfull login, my node application returns a JWT token.

The JWT is signed with user ID, expiration date and secret.

Here is how I would generate a token for the user with id: 1:

    return jwt.sign({
        _id: 1,
        exp: exp_date),
    }, "MY_SECRET"); 
    };

Since my backend application identifies the user from it's token :

Would it be possible for user with "id:1" to edit his valid token, set it with "id:2", and then start fooling around in the back end application as if he was user with "id:2" ?

Answer 1

Not unless someone got access to your private key which you're using to sign the JSON

Answer 2

The secret is used to sign the payload for later verification. Please have a look at the JWT website (https://jwt.io/) that shows the concepts pretty well.

The token payload is not encrypted, so everyone can read and possibly modify it. By signing the payload initially there is way to recognize the modification when to token is validated. So if someone modifies the user id, the payload's hash sum changes and without having your secret key there is no way to recreate the signature. So you can be safe that the token can't be manipulated without recognition.

Instead of using a simple secret that must be shared between the signing instance and the instances that want to verify the token, there is also the possibility to use public-key cryptography where you sign with a private key and the token validity can be verified by a certificate which doesn't allow to create signed tokens itself. I would suggest this approach for distributed setups because there is no chance to manipulate a token when one of the non-signing services is compromised.