简体繁体 English

我需要验证jwt吗？

[英]Do I need to verify jwt?

原文 2015-09-27 19:29:35 5 3 javascript/ node.js/ jwt

So here is my scenario , I generated a jwt token and stored that token in redis with 1 hour TTL. 所以这是我的场景，我生成了一个jwt令牌并将该令牌存储在Redis中，并具有1小时的TTL。 Now I see most of tutorials use jwt.verify to verify the token.. 现在，我看到大多数教程都使用jwt.verify来验证令牌。

I know they are verifying the token is authentic or not 我知道他们正在验证令牌是否真实

Why I need to use jwt.verify.. Why can't I use redis.exists to check the token is authentic or not.. 为什么我需要使用jwt.verify。为什么我不能使用redis.exists来检查令牌是否真实。

Most of them say, we can use jwt main feature is no need to use db to check the user and expiration.. 他们中的大多数人说，我们可以使用jwt的主要功能就是不需要使用db来检查用户和到期时间。

But in my scenario I cant store everything in token.. So I am using redis to store the token with session information. 但是在我的场景中，我无法将所有内容都存储在令牌中。因此，我使用Redis来存储带有会话信息的令牌。

Questions are 1. So I should not use jwt for this kind of scenario. 问题是1.因此，在这种情况下，我不应该使用jwt。 2. Can I skip jwt.verify? 2.我可以跳过jwt.verify吗？

I am a node newbie.. 我是新手节点。

3 个解决方案

JWTs can help you quickly retrieve information about the caller, without hitting a database (redis is also a database). JWT可以帮助您快速检索有关调用方的信息，而无需访问数据库（redis也是数据库）。 When using JWTs used by client applications/external services you must always verify them to make sure that you are the one that generated them and they have not been tampered with. 使用客户端应用程序/外部服务使用的JWT时，必须始终对其进行验证，以确保您是生成它们的JWT且未被篡改。

Common info stored in the JWT are things like username, real name, group etc. In your scenario, you could use the JWT to store a redis key that holds the info that you want. 存储在JWT中的常见信息包括用户名，真实姓名，组等。在您的方案中，您可以使用JWT存储Redis密钥来保存所需的信息。 It might be the case that you always will hit redis to get the info you want, so JWTs don't add a lot of value to your case, but it might be so that you could use JWTs to write smarter code that will only hit redis under certain circumstances eg. 在某些情况下，您总是会点击redis来获取所需的信息，因此JWT不会为您的案例增加很多价值，但是您可能会使用JWT编写更智能的代码在某些情况下，例如。 if the user has this right, or if we have stored something in redis about this user or not (missing redis key from the JWT token) 如果用户拥有此权限，或者我们是否在该用户的redis中存储了一些东西（缺少JWT令牌中的redis密钥）

You are the only one that can evaluate your scenario and the usefulness of JWTs but don't be hasty to dismiss them, as they provide a nice perfomance/security improvement out of the box. 您是唯一可以评估自己的场景和JWT有用性，但又不必急于将其淘汰的人，因为它们提供了出色的性能/安全性改进。

Assuming that the Redis server is secured and you generate the JWT yourself (as seems to be the case here), you don't need to verify it. 假设Redis服务器是安全的，并且您自己生成了JWT（如此处所示），则无需进行验证。 Once created, stored it in the cache and retrieve it later you don't need to verify it again because you know it could not have been tampered with in the Redis cache. 创建后，将其存储在缓存中，以后再取回它就不需要再次验证，因为您知道它可能不会在Redis缓存中被篡改。

Only when receiving JWTs that are generated by 3rd parties you would need to verify that they are authentic. 仅当接收到由第三方生成的JWT时，您才需要验证它们是否真实。

If on the other hand you are distributing JWTs to 3rd-party applications and clients that you don't control then you will have to make sure that once you they are replayed back to you, they are untampered with by verifying the signature (or do a binary compare against the one stored in the Redis cache) and (when in use) checking the expiry timestamp in the exp claim. 另一方面，如果您将JWT分发给不受您控制的第三方应用程序和客户端，则必须确保一旦将它们重播给您，便可以通过验证签名使其不受干扰（或与Redis缓存中存储的二进制比较），并（在使用时）检查exp索赔中的到期时间戳。

Without any verification in place, it will be possible for a 3rd party to send requests to your API and in most cases the requests will likely turn into a man-in-the-middle attack. 如果未进行任何验证，则第三方有可能将请求发送到您的API，并且在大多数情况下，请求可能会变成中间人攻击。 It's good security practice to keep a record of all the tokens generated on the server and then authenticate against them with each incoming request. 保留所有在服务器上生成的令牌的记录，然后针对每个传入请求对它们进行身份验证是一种很好的安全做法。