Menu
The Auth0 team created something called "angular-jwt" which has a jwtHelper class. This thing successfully decodes a local JWT without the secret I used on the server. How did this happen? If they are not secure, then what is the point of using a secret to sign/encrypt them?
Function on the server that encrypts the token (using "jsonwebtoken"):
function createToken (user) {
return jwt.sign(_.omit(user, 'password'), config.secret, { expiresInMinutes: 60*5 });
}
Code from the client:
angular
.module('sample.home', [
'ui.router',
'angular-storage',
'angular-jwt'
])
.config(function ($stateProvider) {
$stateProvider
.state('home', {
url: '/',
controller: 'HomeCtrl',
templateUrl: 'modules/home/home.html',
data: { requiresLogin: true }
})
})
.controller('HomeCtrl', function homeController ($scope, $http, store, jwtHelper) {
$scope.jwt = store.get('jwt');
$scope.decodedJwt = $scope.jwt && jwtHelper.decodeToken($scope.jwt);
});
Here's a link to the full example: http://github.com/auth0/ang...
343
By design, anyone can decode a JWT and read the contents of the header and payload sections. But we need access to the secret key used to create the signature to verify a token's integrity.
The token is created using a secret string that is stored on a server. Next, the server then sends that JWT back to the client which will store it either in a cookie or in local storage. Just like this, the user is authenticated and basically logged into our application without leaving any state on the server.
JWT is created with a secret key and that secret key is private to you which means you will never reveal that to the public or inject inside the JWT token. When you receive a JWT from the client, you can verify that JWT with this that secret key stored on the server.
Each JWT contains a payload. The payload is a base64 encoded JSON object that sits between the two periods in the token. We can decode this payload by using atob() to decode the payload to a JSON string and use JSON. parse() to parse the string into an object.
A JWT uses encoding, not encryption. The data that the token contains is not a secret, anyone can decode it and view. What the server does, is it signs the token using a secret (in your case, config.secret), which effectively makes it impossible to modify the token without knowing the secret. Hence, only the server will be able to change the contents of the token, but anyone can read it.
116
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
