do I have to use https when relying on cookies or tokens

Question

I am going through various javascript/auth tutorials -- I understand salting password and storing it in the DB, using Passport, generating the token and storing it in the request header, etc. Overall, I got the whole flow going -- for signing up and signing in. But I am not sure why the following is not being mentioned in any of the tutorials: if I can view http traffic on the network, cant I steal someone else's token and "impersonate" that user? I wont be able to decrypt the token since I dont have the "secret phrase" used to generate the token, but I can surely take it "as is"? So, do tokens and https go together? Is my understanding about user impersonation via a token correct? Thank you

Answer 1

As somebody who intercepts a JWT you ...

• ... are able to "decrypt" the JWT since it is not encrypted. It is only Base 64 encoded,
• ... can validate the signature if an asymmetric scheme is used and you know the public key,
• ... can use the JWT to impersonate the user,
• ... can not change the claims made in the JWT since then the signature would no longer be valid which would be noticed by the server.

So, yes, use HTTPS.

Also on the server side don't rely on the JWT alone. Check that ...

• ... it is not on the blacklist of revoked tokens (you have such a list, don't you?),
• ... the request is coming from a network address that is a claim in the JWT (you include the network address for which the JWT was issued, don't you?.