JSON web token not storing data OR I can't access it correctly

Question

I have a MEAN stack application that stores user information inside of a JSON Web token and I'm trying to add a value to the JSON web token for my application to reference. I believe the data is being stored in the JSON web token and I just can't access it, but I could be wrong.

Here is where the JSON web Token is created server side:

userSchema.methods.generateJwt = function() {
console.log("I'm creating a JSON WebToken");
console.log(this.hasPaid); // HERE I CAN CLEARLY SEE THIS HAS THE VALUE I'M WANTING
var expiry = new Date();
expiry.setDate(expiry.getDate() + 7);
return jwt.sign({
    _id: this._id,
    email: this.email,
    name: this.name,
    hasPaid : this.hasPaid, // HERE IS THE VALUE I WANT
    exp: parseInt(expiry.getTime() / 1000),
}, "MY_SECRET");
};

Here is my AngularJS authentication service :

var currentUser = function() {
  if(isLoggedIn()){
    var token = getToken();
    var payload = token.split('.')[1];
    payload = $window.atob(payload);
    payload = JSON.parse(payload);
    console.log(payload);
    return {
      email : payload.email,
      name : payload.name,
      hasPaid : payload.hasPaid // Here is my value
    };

  }
};

Then, inside my APP.JS I try to call the function:

console.log(authentication.currentUser().hasPaid); // This works because when i call currentUser().name

Get token function :

var getToken = function () {
  return $window.localStorage['mean-token'];
};

Thanks in advance!

Answer 1

Well . It seems to me that you will have hard time trying to decode the token client side, without using "MYSECRET" to decode it ( which is in fact a "security" feature of JWT).

A token can only be validated, changed, verified or manipulated in a any way outside the server that initially signed it

EDIT : OK. My mistake. Is perfectly possible to decode PAYLOAD . without having the "SECRET" ( in fact is BASE64Encoded, what equals to ZERO security). What is not possible without the secret is to decode/verify the signature

Anyway, that's the reason because standard recommendation is to not save confidential/sensible/secret information on the payload of JWT.

Saving there your the user email, roles, payment information it's a VERY HIGH security risk, because it can get stored on COOKIES and/or local storage. So if an attacker can compromise the browser , can easily get this data

An idea could sto store some unique id of the user that doesn't allow to login for example, a unique ID field, and maybe add some claims, like unique id's of Roles and or privileges, in somekind of secure form like MDHashed.

So my suggestion for your token payload is something like:

 var crypto = require('crypto');
 // some more code 
 var userClaims={ hasPaid: this.hasPaid}
 return jwt.sign({
     _id: this._id,
     claims:  crypto.createHash('md5').update(userClaims).digest('hex')
 }, "MY_SECRET")

Note : forget my last three comments

Answer 2

I figured it out. I apologize. I was doing everything correctly if anyone wants to use this information the above functions will work. However, I used a minify application and it was using the minified authentication service that I did not update. Duh!! Sorry guys.