Token Authentication - JWT

Question

When we use jsonwebtoken in Node, we sign a particular token for the user and send it back. However, when we verify the token when the user sends it in the header (Authentication: <token>), how does the jwt know that that token which it is verifying is for that particular user and not for some other user who also sent a request at the same time? Does it store the token somewhere internally?

Answer 1

The Authentication token is stored in an Authentication Server, so when you send the Authentication token in your request header, the Authentication Server authenticated your client.

After being authenticated by Authentication Server, the client can now pass JWT to make API calls to the Application Server. Since client is allowed to make API calls, Application Server can verify the JWT token the client has sent and can process the API call.

Note that for making API calls, the client has to send a Authorization: Bearer <token> for each API call, which is stored at the server (aka Authorization Server)

Answer 2

At the time of login, you sign a token where payload is the userId, which is nothing but the _id field in the queried user object.

loginUser: async (req, res, next) => {
    try {
      const { email, password } = req.body
      const user = await User.findOne({ email })
      const token = auth.signToken({ userId: user._id })
      res.status(200).json({ user, token })
    } catch (error) {
      return next(error)
    }
  }

auth.js

function signToken(payload) {
  return jwt.sign(payload, JWTSECRET)
}

function verifyToken(req, res, next) {
  const token = req.headers.Authorization || req.headers.authorization || ""
  if (!token) {
    return res.status(403).json({ error: "Not authorized" })
  }

  jwt.verify(token,JWTSECRET, (err, decodedObj) => {
    if (err) {
      return res.status(403).json({ error: "Not authorized" })
    }

    req.user = decodedObj
    next()
  })
}

module.exports = { signToken, verifyToken }

In the callback of jwt.verify, you get a decodedObj which is like:

{ userId: '5edb3ae6d6b129183c1393bc', iat: 1591425786 }

where iat is the time at which the jwt was issued.

 req.user = decodedObj

Here, we're "attaching" the decoded data to the user object so that when a request is made to the protected route, we can get the userId from the request object, like req.user.userId, and then query it from the database.

When you sign a token, you provide a payload which can be a userId and a secret. So, the token gets signed. After that, you need to verify the token in case you're trying to access some protected page that requires a token.

So, when you send a request to that protected route, like this:

   router.get("/me", auth.verifyToken, usersController.identifyUser)

where identifyUser is a controller function that just identifies the logged in user by checking the userId(remember the user object contains the decoded object data).

how does the jwt know that that token which it is verifying is for that particular user and not for some other user who also sent a request at the same time? Does it store the token somewhere internally?

It's because of the payload that you give, which is unique to the user.

Answer 3

You will typically sign the token with the user id when sending it from the server. So when the client then sends back that token you decode it and it will return the id to you. Which you then use to find the user in the data base

Answer 4

1. the token is most store in the client
2. when the token verifying successfully, we will get some user info, etc account id, so we can use account id to find more user info in the database, and check the use is really exist

maybe it is useful for you?