All geek questions in one place

How much information should be done in the JWT payload?

I am creating a mid-stack flash card application and trying to simulate the process described in this tutorial https://thinkster.io/mean-stack-tutorial#wiring-everything-up .

When a new user is registered, I want to return this user information to the user object: the current and last deck of cards is examined, the current and last card, etc.

My question is, how much of this information should go into the JWT payload?

In the thinkster.io tutorial, the JWT payload contains only user_ID, username, and expiration date. I am worried if additional information should not be included in the JWT because this will make the JWT too large. Then I just send the JWT back along with the user object that comes back after the user is saved using the mongoose.save method? This strategy sounds as if it matches the following quote from:

https://auth0.com/blog/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies/#token-size

Each time you make an API request, you need to send a token to the Authorization Header.

Depending on how much information you store in this token, it can get a lot. On the other hand, session cookies are usually the identifier (connect.sid, PHPSESSID, etc.), and the rest of the content lives on the server (in memory, if you have only one server or if you are working on a server farm).

Now, nothing prevents you from implementing a similar mechanism with tokens. The icon should have the basic information necessary for the server side you would enrich it with a lot of data with every call to the API. This is the same as a cookie, with the difference that you have the additional benefit that now it is an informed decision, you have full control and is part of your code.

The code / register route I am trying to simulate from thinkster.io is as follows:

router.post('/register', function(req, res, next){
  if(!req.body.username || !req.body.password){
    return res.status(400).json({message: 'Please fill out all fields'});
  }

  var user = new User();

  user.username = req.body.username;

  user.setPassword(req.body.password)

  user.save(function (err){
    if(err){ return next(err); }

    return res.json({token: user.generateJWT()})
  });
});

, :

user.save(function (err, user){
    if(err){ return next(err); }

    return res.json({token: user.generateJWT(), 
                     user: user})
  });

​​ JWT, JWT ?

+4
1

.

, , . cookie , :

  • JWT request.user _id .
  • .

API. , . , GET.

JWT. .

+1

Source: https://habr.com/ru/post/1613689/

More articles:


All Articles