All geek questions in one place

API authentication using json web tokens jwt-simple

I am using jwt-simple to create an api key. Basically, it executes encode(secret+data) and sends it with the request. I know that the server will be decode(encode(secret+data)) and checks if it is a valid request. Example code found in jwt-simple documentation :

 var jwt = require('jwt-simple'); var payload = { foo: 'bar' }; var secret = 'xxx'; // encode var token = jwt.encode(payload, secret); // decode var decoded = jwt.decode(token, secret); console.log(decoded); //=> { foo: 'bar' }

My questions:

  • Wouldn't anyone be able to access the API if they know the token generated by encode(data+key) ? So should I use HTTPS over HTTP?
  • I think I need to keep the secret of each user on the server, as it will be needed for decoding. Where should I keep it, if I'm wrong?
  • How to send multiple API requests? Is there a better way besides sending an API key for each request?

Thanks in advance.

0
source share
1 answer

See this post regarding your confusion with the secret: Can anyone decode the JSON Web Token (JWT) without a secret key?

Regarding your questions:

  • Yes, anyone who can somehow get a valid token can access your API. Therefore, if someone knows the secret key that you use to sign your tokens, and you can create a valid payload, he can use the API. But the usual flow will be: the user logs in, you check the password, if this is the correct password, you will give it a valid token. If someone grabs this token from this users computer, you cannot do this. But you can make the tokens expire, so if someone steals alone, he is invalid for a very long time.

  • You can sign your tokens with the same wide secret of the application, but you will use some unique payload for the user, so that each user receives a different token.

  • In a simple solution, you simply send a token with every call you make to the API (in addition to logging in and registering). There are other solutions for creating sessions, but I think they are a little more difficult to implement.

+1
source

Source: https://habr.com/ru/post/1263850/

More articles:


All Articles