Repository files navigation

A demo to learn JWT by reverse engineering

1. Head over to thedemo hosted on repl.it

Or run it on your local machine by cloning the repo and running following commands

#Install dependenciesnpm install#Create environment variables filecp ENV_SAMPLE .env#Defaults should work for local setup. But on production, env variables should be set for your server e.g. API_URL, FRONTEND_URL, etc.npm start#Visit localhost:3000

2. Play around with the configurations
3. Read the cues at every page with more resources to go deeper into concepts

If you want to extend code for more functionalities,checkout the documentation

• JWT
• JWT vs Opaque tokens

• Assymetric Cryptography
• Digital Signatures : Verifying authenticity of message
• Forward Secrecy : A way to protect against future compromises of private key
• Encryption vs Signing
• Encryption vs Encoding
• Hashing vs Encoding cs Encryption vs Obfuscation

• Strategies to invalidate jwt - SO Q&A

• Simply remove the token from the client
• Create a token blacklist
• Just keep token expiry times short and rotate them often
• Contingency Plans : allow the user to change an underlying user lookup ID with their login credentials

A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.

• Discussion: Is refreshing an expired JWT token a good strategy?

• JWT attack - signature as MAC
• Recreating JWT validation bypass
• 3 JWT design flaws

• Demo: How Docusign APIs auth workflow using JWT access token and refresh tokens
• JWT Authentication & Authorization in NodeJs/Express & MongoDB REST APIs(2019)
• JWT+Passport
• JWT+Passport : Code
• JWT+Passport : Guide on DO
• Passport-jwt
• Refreshing token using node-jsonwebtoken

• Encode or Decode JWTs