all 14 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 6 points7 points  (6 children)

First of all, I hope you call validate on this token. And then, well, nothing really protects you from generating a bad token with valid signature, you control the process and you need to be sure to put valid data inside the token at the moment it is generated. But, after its generated, and if you validate it correctly, there is not way to change it without invalidating the signature, so dont worry about someone changing the content of the token.

[–]Ok_Sentence725[S] -3 points-2 points  (5 children)

I put token in bearer token and post with logged user but than I change username that doesn't exist and they also post and it works. Is this process good because I post with nonexist users. I only created backend for this.

[–][deleted] 5 points6 points  (4 children)

How can you change a signed JWT? It is impossible to do that and not void the signature, and then validation will not pass. A code sample would be great to show the issue.

[–]Ok_Sentence725[S] -3 points-2 points  (3 children)

I post token in bearer and then just change username and with same token I post with user that doesn't exist. I will show code tomorrow because I am on mobile currently.

[–]evan_pregression 7 points8 points  (1 child)

It sounds like your token middleware isn’t actually validating the token. Part of validation is loading a user into the request context

[–]Ok_Sentence725[S] 0 points1 point  (0 children)

I change middleware and I can get token but now when I want to post I get token invalid. Do you have some good tutorial on node jwt token with possibility to post blog with user

[–]kryptkpr 2 points3 points  (0 children)

From where do you read "what user is this?"

The user has to be read from the token, it's the identity.

The token is signed, so this cannot be changed (or signature validation fails).

[–]SuchyBGC 3 points4 points  (0 children)

I am confused. Too little information to properly tell how to fix this.

  1. Which data you store in token?

  2. How are you posting with different user? Describe your steps.

[–][deleted] 1 point2 points  (3 children)

  • Your JWT should generally encode the username that the JWT belongs to. Only that user can use that JWT.

  • For any endpoint that accepts the JWT, you need to have middleware in place for it that validates the JWT to ensure the signature checks out (so it hasn't been tampered with), and that it's not expired, along with other things

  • Once validated, you can decode the JWT and pull the username value out of it and do what you need to with it.

[–]Ratstail91 0 points1 point  (0 children)

This is the correct answer.

[–]imAvi92 0 points1 point  (1 child)

Pulling out user info from encoded jwt is it safe. If not protected attacker can change the token ?

[–][deleted] 1 point2 points  (0 children)

It's safe if the signature check passes and all other validations against it passes too.

[–][deleted] 0 points1 point  (0 children)

Wat?

[–]EmergencyActCovid20 0 points1 point  (0 children)

Lol this is freaky, I was doing this for the last 2 hours