Problems with JWT token

Asked

Viewed 207 times

2

I am using a system that, using JWT tokens pass for authentication, the problem is that I can easily collect the headers of the API calls and grab my token to be able to order whatever you want and take the data of any user. I believe the programmers are only blocking the route based on this code:

Route::group(['middleware' => 'jwt.auth'], function()

I’d like to know something to fill that problem(a second authentication or blocking method so that users who have token cannot collect information from other users and inform programmers, because I am afraid of having my data collected by some other user with ulterior motives.

javascript laravel jwt auth

1 answer

1

The JWT token spec perfectly predicts this case.

Only validate whether or not the token is a huge security breach and should be completely avoided.

A JWT token is an encrypted string that contains information about who issued that token (its application) and what is the subject of that token (the user) as well as so much information.

You first need to make sure that your backend is generating the token with this information, after every time a request is sent to your backend it is necessary to decrypt this token and extract the information not only verifying its existence as you said it is currently being done.

Below I put some links of the JWT specification with details of fields and validations.

  • Campos iss and sub are the ones I mentioned to store the information of which application and for whom the token was generated.

https://tools.ietf.org/html/rfc7519#page-9

  • How to generate and validate JWT tokens

https://tools.ietf.org/html/rfc7519#page-13

I don’t know Laravel but a simple search in Google returned me a library that already implements the specification of JWT.

https://github.com/tymondesigns/jwt-auth

I hope I’ve helped.

Browser other questions tagged javascript laravel jwt auth

You are not signed in. Login or sign up in order to post.