JSON Web Token (JWT) Security
Question
I'm using Node.js, MySQL and JSON Web Tokens to build an api.
My JWT looks like this:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlcyI6WyJsb2dnZWRfaW4iLCJhZG1pbiJdLCJpZCI6NzEsImlhdCI6MTQ1OTQ0NjU5MCwiZXhwIjoxNDU5NTMyOTkwfQ.BBbdyFMztYkXlhcBjW6D5SsKxtaRiZJqiNShOroQmhk
and its claims decode to:
{"roles":["logged_in","admin"],"id":71,"iat":1459446590,"exp":1459532990}
When an api endpoint receives that JWT, is it safer to call the User table with id 71 to get any pertinent details or to use the id from the JWT?
Ideally we would save a lot of calls to the User table, but is there a security threat? Couldn't a malicious user change that id or a role before calling the endpoint?
1 answers
solution1
5 ACCPTED 2016-03-31 18:13:04
JWT is signed. If a user changes anything on the payload, the signature validation will fail and you will know the data was tampered with.
That being said, the data itself is not encrypted. You can use a user ID -- but do not add sensitive information besides what could be public.
More about JWT verification and lifecycle:
https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.