I have a node-app using json web token:
var jwt = require('jsonwebtoken');
If a login succedes then this library creates a token this way:
var payload = {mydata: 'abcd'};
var token = jwt.sign(payload, 'secret', {
expiresIn: 28800
});
return {
success: true,
message: 'Success',
token: token
};
What I don't understand is where the token is stored on the server. If the same user that received the token makes a call to a protected resource, then I have this line:
jwt.verify(token_sent_by_used, 'secret', function (err, res) {
if(!err){
res.json({result: 'success'});
}
else{
res.json({result: 'failure'});
}
}
The reason why Im asking this is that I could not find explanation on how to handle jwt when running an application across several machines. If my backend is put on different machines and user makes the requests to a load balancer, then the request can hit any machine. If jwt writes token data on the file system, then I guess there can be issue if the request hits a machine that was not the one that created the token. When using session, you can set the session handler to database. How do you solve this with jwt?
****EDIT****
Ok, let's take an eaxmple. I have a node app that is running on machine .10 and the same node app also running on machine .11. Two different machines.
I go to machine .10 and send username password. App on machine .10 checks username/password. They are ok. Machine .10 creates a jwt token and send it to me.
I now make a curl request (to a resource that requires a valid jwt-token) to machine .11 and send the jwt-token that machine .10 had preciously sent to me. Machine .11 will not complain about the jtw-token? It will be considered valid? Even if it was not created on machine .11?
JSON Web Token is an open industry standard used to share information between two entities, usually a client (like your app's frontend) and a server (your app's backend). They contain JSON objects which have the information that needs to be shared.
Information Exchange: JWTs are a good way of securely transmitting information between parties because they can be signed, which means you can be sure that the senders are who they say they are. Additionally, the structure of a JWT allows you to verify that the content hasn't been tampered with.
Storing JWT Token We can store it as a client-side cookie or in a localStorage or sessionStorage.
If in any case more than one JWT can be generated for a user for a single purpose like an email verification token, or reset password token in those cases we must save the tokens/latest token in DB to match with the most recent one.
Both servers in your question must be able to verify the token - they must be able to generate the signature. If both servers share the same secret key (used to originally generate the token's signature on .10), then both would be able to verify its contents.
In the screenshot below, both the red part and the purple part are plaintext - anyone can read and modify them. However, the blue part is special - it can only be generated on the server, from the red and purple parts, using the secret key. So, it guarantees that the red and purple parts were not tampered with.
So, when you send the whole JTW back to a server, it can use the secret key to generate the blue part and compare it with the blue part that you're sending. If they don't match, then someone (illegitimately) changed the red or purple parts, so authentication is denied.
JWTs aren't stored on the server.
When your server hands out a JWT, it's giving the client a visitor's pass that can be used whenever it requests a resource. As long as the client keeps hold of it, and it remains valid (i.e. not expired), it can show it to the server with the request and the server will respond accordingly.
The server knows it's a valid pass because it signed it with it's secret.
As for running on several machines, as long as any server that needs to verify the token knows the secret, it can do so.
Edit to clarify the above
You're asking specifically whether machine A will accept a token that was issued by machine B.
The only requirement for accepting a token is validating the signature so that you can verify where it came from.
If machine A and machine B share the secret, their tokens are interchangeable. There's no difference at all in the two and machine A won't be able to tell if it issued the token, or machine B did.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With