Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

express-jwt vs. jsonwebtoken

I have a feeling this is going to be a quick answer, but I can't seem to find any great definitive answers on the web - what is the difference between the jsonwebtoken npm package and the express-jwt npm package? I think express-jwt is written on top of jsonwebtoken and simply verifies incoming tokens and sets req.user to the user payload on the JWT.

Is that correct? Sorry if this is a total noob question... I just started learning authentication and node/express, so it's all pretty new to me.

like image 793
bobbyz Avatar asked Dec 08 '15 20:12

bobbyz


People also ask

Is there something better than JWT?

PASETO, or Platform Agnostic Security Token is one of the most successful designs that is being widely accepted by the community as the best-secured alternative to JWT.

What does express JWT do?

JSON Web Tokens (JWT) were created to enable a procedure of communicating between two groups authentically to prevent security threats. JWTs are widely used for the purpose of authentication. For instance, while signing in, a token will be generated by the server to be reserved for the client.

Is JSON Web Token secure?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

Which JWT algorithm is best?

The option with the best security and performance is EdDSA, though ES256 (The Elliptic Curve Digital Signature Algorithm (ECDSA) using P-256 and SHA-256) is also a good choice. The most widely used option, supported by most technology stacks, is RS256 (RSASSA-PKCS1-v1_5 using SHA-256).


1 Answers

Coming back to this many months later. In case it's helpful to anyone, express-jwt is built on top of the jsonwebtoken package and does a bunch of additional cool things. You still use jsonwebtoken to sign and verify your JWTs, but express-jwt helps you protect routes, checks JWTs against a secret, and creates a req.user from the payload of the token if it can verify it.

tl;dr: express-jwt uses jsonwebtoken in its own code and adds additional neatness.

like image 187
bobbyz Avatar answered Oct 02 '22 10:10

bobbyz