Where does JWT keep the tokens?

Asked

Viewed 1,986 times

3

I am following the following tutorial to create an authentication system using Node.js and JWT: https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens

By following the steps of the tutorial, I can verify that the user is correct and create JWT. However, apparently, the token is not being stored anywhere. When accessing the /test route, nothing is returned. Follow the code:

const express = require('express');
const jwt = require('jsonwebtoken');

const router = express.Router();

const Usuario = require('../models/Usuario');

router.get('/teste', (req, res) => {
  const token = req.body.token || req.query.token || req.headers['x-access-token'] || null;
  return res.json(token);
});

router.post('/login', (req, res) => {
  Usuario.findOne({ email: req.body.email, senha: req.body.senha }, (err, usuario) => {
    if (err) return res.json({ error: err });
    if (!usuario) return res.json({ error: 'Email e/ou senha incorretos!' });

    jwt.sign(usuario, 'secret', { expiresIn: 3600 }, (err, token) => {
      if (err) return res.json({ error: err });
      return res.json({ message: 'Logado com sucesso!', token: token });
    });
  });
});

module.exports = router;
  • You are sending jwt as in your request?

  • I’m not sending JWT to the request, I thought the Sign method would do it automatically. How can I pass that token forward via headers, so, Vinicius?

  • You get the token in Sign’s reply in, you have to pick up that token and store it somewhere. If your customer is a browser, it can.ser in cookies for example. Ai how to add the header will depend on the client you are using to make the request.

  • I get it. In case, I would like to not use cookies for this, how can I pass this token by header x-access-token?

  • In the case of Postman vc you must add an x-access-token header in the request configuration.

4 answers

1

The token is not stored. In a request you will need to inform him, usually by headers, but it can be anywhere.

The server will receive the token and will validate with the private key. So you have the validated data from token.

1

The JSON Web Token standard (JWT) only defines an access tokens exchange protocol and format - storage is not part of the specification. Translation wikipedia article:

[...] is an open standard based on JSON (RFC 7519) to create access tokens that assert a number of claims. [...] Tokens are designed to be compact, URL-safe and usable especially in the context of single web browser login (SSO). JWT claims can typically be used to pass authenticated user identity between an identity provider and a service provider, or any other claims as required by business processes. Tokens can also be authenticated and encrypted.

The storage of these tokens should then be explicitly implemented. There are several ways, and the choice will depend on your model. Some examples here: 1, 2, 3.

0

You can store in Localstorage when you make the AJAX request in the client.

0

Hello, just pass in the Header of your request. How is using the name 'x-access-token'.

Using jQuery:

$.ajax({
   url : 'api/route',
   headers: {
        'x-access-token' : token
   });

After your authentication middleware will receive this token and will validate, so you can catch the payload later in the method ;)

Browser other questions tagged

You are not signed in. Login or sign up in order to post.