A demo to learn JWT by reverse engineering
- Head over to the demo hosted on repl.it
Or run it on your local machine by cloning the repo and running following commands
#Install dependencies
npm install
#Create environment variables file
cp ENV_SAMPLE .env
#Defaults should work for local setup. But on production, env variables should be set for your server e.g. API_URL, FRONTEND_URL, etc.
npm start
#Visit localhost:3000- Play around with the configurations
- Read the cues at every page with more resources to go deeper into concepts
If you want to extend code for more functionalities, checkout the documentation
- Assymetric Cryptography
- Digital Signatures : Verifying authenticity of message
- Forward Secrecy : A way to protect against future compromises of private key
- Encryption vs Signing
- Encryption vs Encoding
- Hashing vs Encoding cs Encryption vs Obfuscation
- Simply remove the token from the client
- Create a token blacklist
- Just keep token expiry times short and rotate them often
- Contingency Plans : allow the user to change an underlying user lookup ID with their login credentials
A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.