Problems with JWT token

2

I'm using a system that uses the JWT token pass for authentication, the problem is that I can easily collect the headers of the API calls and pick up my token to be able to request what I want and pick up the data of any user. I believe that programmers are only blocking the route based on this code:

Route::group(['middleware' => 'jwt.auth'], function() 

I'd like to know something to address this problem (a second authentication or blocking method so that users who have token can not collect information from other users and inform the programmers because I'm afraid of having my data collected by some other user with second thoughts.

    
asked by anonymous 08.10.2018 / 15:45

1 answer

0

The JWT token spec predicts this case perfectly.

Only validating whether or not the token is a bad security hole should be completely avoided.

A JWT token is an encrypted string that contains information about who issued that token (its application) and what is the subject of that token (the user) in addition to so much information.

You first need to make sure that your backend is generating the token with this information, then every time a request is sent to your backend you need to decipher that token and extract the information not just verifying its existence as you said it is done right now.

Below are some links from the JWT specification with field details and validations.

  • Fields iss and sub are the ones I mentioned to store the information of which application and to whom the token was generated.

link

  • How to generate and validate JWT tokens

link

I do not know Laravel but a simple Google search returned me a library that already implements the JWT specification.

link

I hope I have helped.

    
08.10.2018 / 17:43