Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best Practice handling user data with JWT

Tags:

rest

jwt

api

json-web-token

I'm implementing stateless REST API via Json Web Tokens (JWT). At the moment, I'm wondering what is the best approach to pass the user data to the front end. Those are the fields I would need to access on the front-end username, email, role, full_name, description, profile_img, facebook_id, twitter_id, custom_setting_1, custom_setting_2, custom_setting_3, custom_setting_4

There are 2 options that I see:

  1. During the JWT creation add the user data to the JWT payload. And then decode it on the front end. Though I'm worried if I add all the data that the payload will get quite large.
  2. I can add only unchangeable fields like username, role to JWT. After the JWT is created and returned to the front-end, I send another request for the user data from the API.

I might be missing something here as well. So wondering what is the best approach handling the user data with JWT.

like image 551
Websirnik Avatar asked Jun 21 '16 12:06

Websirnik

People also ask

How do you handle the frontend JWT token?

In your frontend, store the access token in memory of your client's JavaScript application and store the refresh token in a web store. Send JWT access token as a bearer in HTTP header with each server request that requires authorization. Verify the JWT on your server using the public key (public to your services).

What is the best way to store JWT in client?

Use cookies to store JWT tokens – always secure, always httpOnly, and with the proper same site flag. This configuration will secure your client's data, it will prevent XSS and CSRF attack and also should simplify web application, because you do not have to care about using tokens manually on frontend code anymore.

1 Answers

Once you are using JWT for authentication purposes (I understand your server is generating an authentication token that the client needs to send to the server in every request), there's not point in including all of those details in the token.

Your second approach makes much more sense:

I can add only unchangeable fields like username, role to JWT. After the JWT is created and returned to the front-end, I send another request for the user data from the API.

Keep your JWT lean and perform another request to have the user details.

For more information on how to design the URL to return the authenticated user details, check below:

  • How to design URL to return data from the current user in a REST API?
  • Is using magic (me/self) resource identifiers going against REST principles?
like image 160
cassiomolin Avatar answered Sep 24 '22 09:09

cassiomolin
Sign in to Comment

Related questions

async / await fetch in node-js
How to write modern Windows software in C++?
Grab Instagram Follower count
How do I generate RDOC for (all of) Rails?
How to pass Map<String, String> parameters or object to POST request via Retrofit?
SHA1 certificate fingerprint
Why shouldn't I give outsiders access to my database?
Documentation tools for RPC APIs
Which PDF Generation API (Java) supports Gujarati Font?
India Banking API to Process NEFT Payments
Datanucleus Programmatic API Class Enhancement
centralized API documentation for microservices [closed]
How to allow users to login protected flask-rest-api in Angularjs using HTTP Authentication?
What alarm/access hardware can I control from *NIX?
Coldfusion CFHTTP with SHA512-hmac signed REST request body
How to add HTTP header to URL
CORS Issue with external API - Works via PostMan but not HTTP request with Axios [duplicate]
Android Adding a new Calendar

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!