Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

does JWT containing userID need verification from the database?

Tags:

authentication

node.js

jwt

jwt-simple

I sign a JWT (JSON Web Token) with userID and iat (issues at) like so

jwt.encode({sub: user.id, iat: timestamp}, jwtSecret);

When I receive a JWT from the client, I decode it to extract the userID. Do I need to validate the userID by checking its existence in the database every time I need to allow the user to access a secure route (see first example)? Or can I just assume that the user is who she says she is, and allow her to access the secure path?

My feeling is that I need to access the database to validate the user on every request, this would be expensive and defeat the purpose of using a JWT.

like image 424
quantdaddy Avatar asked Apr 17 '18 06:04

quantdaddy

People also ask

Is it safe to store user ID in JWT?

JWTs can be used as an authentication mechanism that does not require a database. The server can avoid using a database because the data store in the JWT sent to the client is safe.

Do I need to verify JWT?

Tokens should be verified to decrease security risks if the token has been, for example, tampered with, misused, or has expired. JWT validation checks the structure, claims, and signature to assure the least amount of risk. To visually inspect a JWT, visit JWT.io or use the JWT Debugger Chrome Extension).

How jwt token is verified?

To verify JWT claims Verify that the token is not expired. The aud claim in an ID token and the client_id claim in an access token should match the app client ID that was created in the Amazon Cognito user pool. The issuer ( iss ) claim should match your user pool.

Can you verify a JWT without knowing the secret?

Anyone in possession of JWT can decode it and see the content. JWT tokens are digitally signed (the signature part) using the payload content and a secret key. In order to change the content, the secret key is required to generate the signature again, otherwise, the signature will be invalid.

2 Answers

Your token is signed. If someone changes the token on client side, it would fail validation and the server side framework would reject it. Therefore you can trust your token. Of course, the jwtSecret should be a secret only known by your authentication server and resource server.

  • You generate the token only if you trust the user who requested it.
  • You trust the token as long as it has not expired and can be verified with the secret.
like image 71
jps Avatar answered Oct 17 '22 10:10

jps

The whole idea of JWT is that can verify the integrity of the claims contained within it. If you can decode successfully the token you can be sure that this token contains information previously encoded by you. For someone to pass malformed data has to also know the secret you use to sign the tokens.

For more information read this.

like image 35
Alex Michailidis Avatar answered Oct 17 '22 09:10

Alex Michailidis
Sign in to Comment

Related questions

Real time chat, message handling - Socket.io, PHP, MySQL, Apache
Git Hooks error when using NVM in WebStorm and SourceTree
Create React App adding CORS header
You seem to not be depending on "@angular/core". Typescript
Send response from server side axios request to React/Redux app
Sequelize: difference of DataTypes and Sequelize
Get GPU temperature NODEJS
How to extend a module from npm using TypeScript?
Cloud Functions for Firebase: how to use a Transaction promise?
POST Request to expressjs not working despite using CORS
Running tests .mjs / ESM on Node using Jasmine or any other alternative
Exclude dev dependencies when publishing npm package
Loopback API connecting to MongoDB Atlas, fails
Node 8 + Typescript + Koa + koa-Router throws "TypeError: ctx.onerror is not a function"
Google calendar API and node js - "googleAuth is not a constructor" issue
NodeJS import only if not in production
Switching between tabs with puppeteer
context.awsRequestId from lambda
AWS Lambda: Error: getaddrinfo ENOTFOUND from api
cb is not a function in hapi-auth-jwt2 - Node.js

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!