0

I'm using jsonwebtoken package to Implement JWT WebToken for authentication in my MEAN app.

I used the below code to generate a WebToken after successful user authentication. I added the userid and a boolean variable in the payload in JSON format.

                  let payload = { subject : user._id, is_admin : true };
                  let token = jwt.sign(payload,'securepasswordgoeshere');
                  console.log(token);
                  res.status(200).send({ data: token });
                  res.end();

I'm creating a cookie in the front end using Angular to save the token. I'm able to decode the payload using this website.

Based on the suggestions I received, a few people have suggested changing the securepassword used for signing payload every 1 hour. I'm not sure whether that is an efficient way and what problems could arise because of it.

Could someone suggest a good approach to solve this?

Anirudh
  • 2,685
  • 4
  • 42
  • 80
  • it's normal that you can decode the payload, it should usually not contain anything you would want to hide.But which problem do you want to solve by changing the signing secret? In the moment you change your secret, all tokens issued before are invalid. – jps Jun 25 '19 at 10:28
  • I also recommend reading this: https://stackoverflow.com/questions/27301557/if-you-can-decode-jwt-how-are-they-secure – jps Jun 25 '19 at 10:29
  • @jpr Should I be using JWT or is there a better way? – Anirudh Jun 25 '19 at 11:33

0 Answers0