CODEWITHSUNDEEP
javascriptnode.jsreactjssecurityjwt
DoneDeal0
DoneDeal0

Reputation: 6257

Should I send sensitive info from the server in a jwt or plain json?

I have a login route that returns:

This user object contains sensitive informations such as geolocation, email, etc. This response is stored in a react global state and cached by the browser. It is never exposed in local/session storages.

Do I need to encrypt the user object in a jwt before sending it to the client? Or does it make no difference at all, and sending it in plain json will be enough?

The code looks like this:

const token = AuthControler.generateToken(user);
const encryptedUser = AuthControler.encryptUser(user);
    return res
      .status(200)
      .cookie("myapp", token, {
        expires: new Date(Date.now() + msPerDay * 14),
        httpOnly: true,
        secure: true
      })
      .json({ user: encryptedUser });

Upvotes: 1

Views: 1202

Answers (2)

user9775882
user9775882

Reputation:

Contrary to popular belief JWT tokens may come in both JWS (signed only) or JWE (truly encrypted) formats. JWE is just not a widespread capability of most JWT/JOSE libraries.

If your system is both the issuer and consumer of these tokens than you can use encrypted JWTs, e.g. using the jose's package EncryptJWT module.

The { alg: 'dir', enc: 'A256GCM'} is suited for such a setup, the secret key would be a 256bit random secret. Other enc values may require different sized secret keys.

Resulting JWT looks like so, the only readable portion prior to decryption is the JWE Protected Header.

eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..dHrDXdmJIg9pwujk.ZX69BYgPmnCYpztL9BgdyaElv1wEebfq6dIrhoh6TEFiocGK4uwK6rt6pA6oXEkLd-pVVxtIaSTb6r5On1PU0EG9uqJbk7yGaMkq_OF1ZsbVbsHoGPaggoi5j7PCSLmRJdr1iByp7IJ2yWzTx-yzVgnBJgk.dSsVWFbQYLmr0mUBJVWpfQ

Upvotes: 2

Robert Kawecki
Robert Kawecki

Reputation: 2448

JSON Web Token can be decoded, even without the signing private key / signing secret - it's not encrypted on its own. See here: https://jwt.io/ - paste your JWT (having read the warnings about sensitive data) and get the user info back.

If you want to avoid exposing the data to the user, encrypt it (not JWT) yourself. This technique is often applied to cookies, as well - e.g. to prevent fuzzing by cookies and other tampering. Alternatively, if you do maintain some kind of session state on the back-end, it's a good place to put the data and never have to send it to the client in the first place.

Last but not least, it's important that you have a threat model before setting out to implement security. What's the data that is protected? Who are you protecting against? Is e.g. "another user of the same computer" part of the model? Can the data be obtained in some other way, e.g. by actively making requests to your system? Is it affected by GDPR in any way, and if so, does it achieve minimization of data processing?

Upvotes: 4

Related Questions