CODEWITHSUNDEEP
javascriptnode.jsjwt
Onyx
Onyx

Reputation: 5772

Working on token authentication system and have a couple of questions about jsonwebtoken

I have a decoupled Vue.js front-end + Node.js back-end and right now I'm trying to implement a token authentication system but I have a few questions.

jwt.sign({ foo: 'bar' }, privateKey, { algorithm: 'RS256' }, function(err, token) {
  console.log(token);
});

First of all, in order to generate a token, the function requires a private/secret key. I'm a bit confused as to how this key is supposed to look like and whether it has to be the same for all tokens, or it should be unique. Also where should I store this key?

My second question is what is the payload supposed to consist of. In the example, { foo: 'bar' } is used as payload. In my application, after a user registers, I save his info in the database and get an object that looks like this:

    let user = {
        username: 'Test1',
        password: '$2a$12$lLnLRVHiI7yI4br.ys2aj.5EVcIjRD7BkV',
        email: '[email protected]'
    }

Do I just pass the user object as payload to jwt.sign() or should I just pass a single property?

Upvotes: 0

Views: 125

Answers (1)

Victor Axelsson
Victor Axelsson

Reputation: 1466

1, Your private token should be of sufficient length to make it harder to bruteforce.

2, It should be same for all tokens.

3, It should be stored safely on the server side. This question is impossible to answer without knowing your setup. But don't check it into git, don't put it in the client (for everyone to see).

4, Don't put secrets/passwords in the payload. These are not encrypted. You can take any token and decode them at jwt.io without knowing the secret.

There is one important aspect that you are missing with the JWT. In the payload you can verify that the payload is created with your secret. However, the payload itself is not encrypted.

So you can put whatever you want to have verification on in the payload. A good usecase is a userId. If the verify on the token checks out you know that it was created with the secret. But it the secret is in the client every client can create a valid token. So make sure to actually keep it secret and on the server side. Don't ever put passwords or other secrets in the token. They will be 100% visible for everyone to see.

Upvotes: 1

Related Questions