stackoom
  简体   繁体   中英

Should I send sensitive info from the server in a jwt or plain json?

 原文  2021-03-29 09:05:24       javascript/ node.js/ reactjs/ security/ jwt

Question

I have a login route that returns:

  • a cookie with a jwt payload: user.id and user.locale
  • a json response with a user object.

This user object contains sensitive informations such as geolocation, email, etc. This response is stored in a react global state and cached by the browser. It is never exposed in local/session storages.

Do I need to encrypt the user object in a jwt before sending it to the client? Or does it make no difference at all, and sending it in plain json will be enough?

The code looks like this:

const token = AuthControler.generateToken(user);
const encryptedUser = AuthControler.encryptUser(user);
    return res
      .status(200)
      .cookie("myapp", token, {
        expires: new Date(Date.now() + msPerDay * 14),
        httpOnly: true,
        secure: true
      })
      .json({ user: encryptedUser });

2 answers

solution1
 3 ACCPTED  2021-03-29 09:20:29

JSON Web Token can be decoded, even without the signing private key / signing secret - it's not encrypted on its own. See here: https://jwt.io/ - paste your JWT (having read the warnings about sensitive data) and get the user info back.

If you want to avoid exposing the data to the user, encrypt it (not JWT) yourself. This technique is often applied to cookies, as well - eg to prevent fuzzing by cookies and other tampering. Alternatively, if you do maintain some kind of session state on the back-end, it's a good place to put the data and never have to send it to the client in the first place.

Last but not least, it's important that you have a threat model before setting out to implement security. What's the data that is protected? Who are you protecting against? Is eg "another user of the same computer" part of the model? Can the data be obtained in some other way, eg by actively making requests to your system? Is it affected by GDPR in any way, and if so, does it achieve minimization of data processing?

solution2
 2  2021-03-29 10:53:04

Contrary to popular belief JWT tokens may come in both JWS (signed only) or JWE (truly encrypted) formats. JWE is just not a widespread capability of most JWT/JOSE libraries.

If your system is both the issuer and consumer of these tokens than you can use encrypted JWTs, eg using the jose 's package EncryptJWT module .

The { alg: 'dir', enc: 'A256GCM'} is suited for such a setup, the secret key would be a 256bit random secret. Other enc values may require different sized secret keys.

Resulting JWT looks like so, the only readable portion prior to decryption is the JWE Protected Header.

eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..dHrDXdmJIg9pwujk.ZX69BYgPmnCYpztL9BgdyaElv1wEebfq6dIrhoh6TEFiocGK4uwK6rt6pA6oXEkLd-pVVxtIaSTb6r5On1PU0EG9uqJbk7yGaMkq_OF1ZsbVbsHoGPaggoi5j7PCSLmRJdr1iByp7IJ2yWzTx-yzVgnBJgk.dSsVWFbQYLmr0mUBJVWpfQ

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I send info from an arduino to server running on meteor Shiny Send plain string from server to ui Should I send user tweet from browser side or server side? Using AJAX to send and receive info from a server How to send plain text from Javascript to NodeJS server What should I do with the JWT token when a user decides to update his profile info? sending large JSON data from server - should I compress? How do I send an array of json files from the server? How should I send the username and a password to the server? How to send weather info from server to an html text area box?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM