Reputation: 1229
Json Web Token security [ Node JS ]
This post is just to know whether my method/code does not introduce any overheads and is enough interms of security. Technology used: NodeJS, JWT, ExpressJS, mongoose(mongoDB)
The following is the userschema:
const userSchema = mongoose.Schema({
email: {
type: String,
required: true
},
password: {
type: String,
required: true
},
accessToken: {
type: String
}
});
Now my code implements the following:
Every time when a user logs into his account, the accesstoken(JWT) generated, is saved to the users account ( in database). And whenever a request requiring authentication for eg:
GET /api/user/myprofilethe JWT send along with this request in theAuthorizationheader, is checked with the token already saved in the DB (as I mentioned earlier), thus no other person access to an old valid JWT can access the users account. Along with this, authenticated routes have a middleware function which verifies the JWT which is essential.The same check is also done to the
/logoutendpoint. If the token(JWT) in the Authorization header is not same as the one in the users DB, then it throws 403 error thus an attacker with valid token cannot logout the user continuously.
Is this enough to provide security, interms of token management? Is there anything mandatory which I am missing?
Thank you.
Upvotes: 0
Views: 80
Answers (1)
Reputation: 3659
I believe your application has... a bit potential for improvement. Look:
- You are not supposed to store the JWT tokens in the database. You are supposed to validate the signature of the JWT token to verify, if you can trust the token.
- By having all the tokens stored in the database, you have a single point of failure. Once your DB is hacked, everyone is hacked.
- The logout endpoint is not supposed to need authentication or the token. Do you want your user with invalid token to be redirected to the login page so he can log out?
Please read about how JWT tokens are to be used: https://jwt.io/introduction/
Once you did that have a look what are the most common security concerns regarding JWT tokens: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
Upvotes: 1
Related Questions
- JSON web token - password in the payload?
- How to implement JSON web token in client side - Node.js
- Token Based Authenication with Node/Express
- General API security tips and info on how tokens work
- authentication with jsonwebtokens in node.js
- How to store Json Web Token in mongodb using node express
- API authentication using json web tokens jwt-simple
- JSON Web Token (JWT) Security
- Node & Token Based Security
- Correct way to protect URL with JSON web token and node.js/express