I am new to JWT, not new to react, but am very confused on how to decode a JWT from the front end. I initially thought that I can store the JWT Secret in the .env file but many sources say that it is a very bad idea to do so. I have the backend setup to send me a JWT when you login. But without storing the secret key in the front end as well, how would I decode the information?
Backend:
if(bcrypt.compareSync(ctx.params.password, hashed_db_password)) {
ctx.status = 200;
const payload = { data: tuples[0] };
const options = { expiresIn: '1h', issuer: 'testIssuer'};
const secret = process.env.JWT_SECRET;
const token = jwt.sign(payload, secret, options);
ctx.body = token;
return resolve();
}
How I thought front end should have been:
let data = JWT.verify(result.data, process.env.REACT_APP_JWT_SECRET, options);
I have also read alot that the backend should do validation but then wouldnt that just be a huge security risk to validate, then send back unsecure raw user information? Any information would be greatly appreciated.
BTW, I am using Reactjs, Node.js, Express, and MySql