I have a jwt token returned by surrealdb's signin() method.
How do I populate a user object on authenticated requests using this token?
You can't get user data from the token but you should use the user's provided details to create a Userobject. You will need to store the token in a session store or on the client side to send it in the future requests.
Related
In my current test node express project, I use JWT. For a POST route, I need the user who fires the request. Therefore I send the JWT with the request. In the NodeJs controller, I have access to the supplied token.
I decode this and then have the user email, exp and iat. Is it now correct that I only start a DB query with the decoded email of the user, with which I receive the user object?
Or do I have to do another validation step? I don't miss any other validation but I find it somehow unsafe.
I decode this and then have the user email, exp and iat. Is it now correct that I only start a DB query with the decoded email of the user, with which I receive the user object?
You can use the email from the decoded JWT token only after its validation. Once you validate it, you know that user information is legitimate unless your secret is compromised.
You need to use an auth middleware that will allow the request to access the next middleware and the controller logic.
Or do I have to do another validation step? I don't miss any other validation but I find it somehow unsafe.
If the encoded JWT token is validated correctly, you don't need to add any validation for decoded data, however, it is important to validate the data coming in the request (You can use Joi).
I am using a simple JWT auth firebase. backend checks if its a valid user and gives back an access token using JWT. Now I want to implement a refresh token. How can I do it? What should be the content of the refresh token? When I sign a new access token and go to protected a page but when fresh it, it go to login page again.
what should I do to also sign a refresh token? please help me anyone.
when you are generating JWT auth token generate refresh token with 1d or with no expiry time according to you requirement. After this send JWT and JWT-REFRESH token in the response of login API, after this make an API in your backend which accepts the refresh token from header or from body and in response generate a JWT token, in case of bad refresh token return 401 status code.
At client side if you are using axios, you can use axios-interceptors as a middle to detect if 401 is coming from any API, then in that case hit the refresh JWT token API to generate new auth token.
If refresh token API gives again 401 response then handle it as REFRESH token is also expire and redirect the user into login page.
I have a React Native application with JWT authentication access to my backend.
When the user authenticates the backend returns an accessToken and a refreshToken the idea is, that both tokens are stored in AsyncStorage along with the expirationTime stored for both tokens.
Right now the implementation is so there is a setTimeout function that checks if the token is about to expire and uses the refreshToken to update the accessToken.
This made me wonder how much of a security upgrade it is using refreshTokens.
If both are stored in AsyncStorage (on the client), both could be accessed, what is the point of having the refresh token?
If an attacker got access to the client storage, they could simply update the access token with the refresh token?
I've been using Passport JWT for Auth and the payload for signing is username and seller.
Now the issue is that every time i update username and tries to fetch userdetails it gives 401. So i'm looking for a way to handle this gracefully using passport jwt in nestjs
How about using the user id and the seller id as payload? These values won't change and therefore the token stays valid even when the username changes
I just noticed a massive flaw with my JWT setup - I have a WebAPI project and am authenticating using JWT as set up in this guide here.
I am sending the users ID to them as part of the token payload. This is so when they can only retrieve resources which are theirs from the API.
The problem I have noticed is the following, if I:
Call login() and get a JWT back from the server
Take the token and decode it on https://jwt.io/
Change the payload so that the ID (that I'm sending to identify the user) is another ID
Use the new Encoded token in an API call
The token is accepted by the API and can be used to retrieve resources which don't belong to the user.
Why isn't the token invalidated when the user changes the payload - does this not defeat the purpose of the token?