CODEWITHSUNDEEP
node.jsjwt
tekso jr
tekso jr

Reputation: 1

Jwt authentication on node-js and react -js

I am working on jwt authentication based projects and I want to store the token which is created on user 's login request but this token can be decoded easily so where I have to store these token ?

//code to create token and cookie

const createToken=(id)=>{
return jwt.sign({id},secretkey);}

{....some code are written here.....}

const token= createToken(userid);
res.cookie('jwts',token,{httpOnly:true,maxAge:1000*60*60,sameSite:'lax'})

Upvotes: 0

Views: 707

Answers (2)

Ryuk-hash
Ryuk-hash

Reputation: 19

From your question, it feels like your JWT flow isn't clear. The token can be decoded - but it will only reveal some payload data and header - which doesn't contain any sensitive data.

Token's generation and explanation: A JWT Token is formed of Header, Payload & Signature.

The header is metadata about the token itself. The payload can be encoded in the token, i.e. the data e.g. user's Id. Signature is created using header, payload, & the SECRET stored at the server. This process is called Signing. This 'SECRET' is what helps us to validate the signature's authenticity.

Well, so how do we make sure the data isn't modified?

A verification process is done at the server where JWT's header, payload, and secret are used to create a test signature. This signature is matched with the original signature (existing inside the JWT already) - then the data has not been modified. Without secret - no one can manipulate JWT. That is, the verification will fail if the signatures do not match.

Token Storage: There is some debate about whether to store the token in cookies or local-storage since both are prone to hacker attacks.

Login Flow:

  • The client sends a request to the server (POST - login).
  • The server validates the user and returns a JWT token in response if the provided credentials are valid.
  • The JWT token is stored in localStorage / cookies depending on the preferred choice (I prefer localStorage).

Upvotes: 1

Bharath T
Bharath T

Reputation: 31

you need to send that token along with the API requests from client. I used to store in clients internal storage and used to send that token for each and every API call.

Upvotes: 0

Related Questions