Comments (10)
Hey @iamkdev,
I'll try to answer your questions separately:
- What you said above is partially true. Having the secret on the client side is not secure, but as you can see in this line to decode the JWT you don't need the secret ket, you only need the JWT itself. Note that decoding means decoding from Base64, there's no secret ket involved in that process. On the other hand, verifying a JWT would require a secret key because it would involve a cryptographic signature operation.
To sum up, decoding does not need the secret (remember decoding is just interpreting base64) and verifying/signing is does require it. - Yes. That happens with every authentication mechanism that stores something in your browser, e.g. a cookie that you use to authenticate with Gmail. There's an interesting discussion going on here with lots of nice ideas around this topic. Feel free to join :)
from jwt-decode.
If you need to decode client-side without a server-side verification, you should be using RSA for your JWT ... sign it with the private key and verify it with the public key.
from jwt-decode.
Token can be read without any secrets or keys... its not encrypted... so don't put someones ip address in it... or anything that you don't want to get into someone else's hands. If someone tries to change the data in the token, it will not be verified correctly on server.... so you can just treat it as a "read-only" public identifier.
from jwt-decode.
It s an old topic but just in case someone stumbles upon this conversation it is important to mention SSL. If you are sending any credentials or sensitive information back to the server always do so over HTTPS.
from jwt-decode.
For query 2: one of the way you can prevent this is by adding device id (mac address, ip address or other identifier specific to the session) in the payload, then verify it on the server side
from jwt-decode.
The asymmetric keys work as follow: the private held by "A" can encrypt something, anyone having the public key can make sure this "something" was encrypted by "A". No one, having a public key can easily forge a cypher / token, to pretends "A" encrypted it.
Therefore, in short: yes you can decrypt the JWT token on the client side, you will know the content but it will be useless… at first, because this is your own content (you can steal yourself) but moreover if you try to modify that one, you will not be able to sign it so that the server will accept it (because remember you do have the public key, not the private key).
For info, if you were encrypting something with a public key, you would only ensure this one to be decryptable by the one having the private key (useless as well in this case, but just to share).
For symmetric keys (same key on the server and client side) it's not the same purpose:
from jwt-decode.
Thanks @dschenkelman
Token-base authentication is a wonderful and great alternative to session base authentication. I am really excited towards it.
from jwt-decode.
Great to hear that :). Closing this if it's OK with you.
from jwt-decode.
If I use mac address, ip address then it will be difficult to use from proxy or vpn...?
from jwt-decode.
L
from jwt-decode.
Related Issues (20)
- Thoughts on adding a bin? HOT 3
- Two additional tests? HOT 4
- jwtDecode is not a function HOT 3
- Does not work with electron packager/asar archive HOT 5
- ESM Support with Jest for Node Api clients HOT 2
- How about removing the atob polyfill? HOT 8
- Consider renaming `master` branch to `main` HOT 2
- Type definitions are broken in 4.0.0-beta.1 HOT 10
- Consider dropping Universal Module Definition (UMD) bundle HOT 4
- Yarn installing jwt-decode causes nx Daemon to crash HOT 4
- Using jwt-decode beta with node10 module resolution HOT 8
- InvalidTokenError: Invalid token specified: Unexpected number at position 0 HOT 3
- missing: https://unpkg.com/[email protected]/build/jwt-decode.js HOT 3
- v4.0.0 React Native support - property atob doesn't exist HOT 9
- No Support for React Native & Expo HOT 2
- Compatibility Issue with Node.js 16.18.1 on Expo Application Servers HOT 2
- React native decode HOT 1
- InvalidTokenError HOT 3
- jwt decode is not working in react native HOT 2
- jwtDecode is not working react native app HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jwt-decode.