0

I'm making an angular app that has users log in, make progress, then they are awarded levels/experience points. I'm using a nodejs/express API and I want to be able to make a call from my app to award them exp. I'm using a JWT and server signing with a private key to auth requests, but realized that a user could just pull their token and give themselves experience. My question would be is there anyway to protect my route from that or is that a fundamental flaw in design?

mattb103190
  • 39
  • 4
  • 1
    even if the user gets the token , the user will only be able to access those resources that are granted access to that particular token . And this is pretty much how JWT works you can get more info by reading the article : https://jwt.io/introduction/ – Joel Joseph Apr 25 '19 at 05:01
  • there are plenty of discussion here in the community itself : https://stackoverflow.com/questions/27301557/if-you-can-decode-jwt-how-are-they-secure – Joel Joseph Apr 25 '19 at 05:06
  • Thank you for the response, but maybe I'm missing something. Even if I created a separate token with an admin property or something..what's to stop them from looking at their browser network monitor and copying the token to make their own requests? – mattb103190 Apr 25 '19 at 05:11

1 Answers1

1

I don't believe this is something you can do specifically with JWT. As commenters have already said, JWT just provides access rights for the given token. As you say yourself, it would be simple enough to just read the traffic and send their own requests to jack up their exp.

While your basic authentication/authorisation mechanism can't solve this, you can handle it in some other fashion within, for example, the request payload itself.

You could encrypt and/or sign your payloads - given that the app would need to know or receive key(s) to use, it's possible that with enough investigation that this is eventually found and duplicated as well. But it's another step someone would have to go through and replicate.

You could employ additional checks and measures - have your requests for [exp increase] be a two-step process; the server responds to the initial request with some minor task to be solved that is then attached to the follow-up request. Assuming the task is done properly, you can be reasonably sure that it came from your app as your app knows how to solve the problems issued (or someone with a serious lack of hobbies outside of deconstructing your entire application).

You could limit the amount of exp that should be reasonably achievable by your users. If you know that people should, at most, be able to gain xyz exp per minute/hour/day/etc, then by monitoring exp growth, you can flag and/or block additional gains past this point.

Krenom
  • 875
  • 5
  • 16