- Notifications
You must be signed in to change notification settings - Fork19
A demo to learn JWT by reverse engineering
License
gitcommitshow/auth-jwt
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
A demo to learn JWT by reverse engineering
- Head over to thedemo hosted on repl.it
Or run it on your local machine by cloning the repo and running following commands
#Install dependenciesnpm install#Create environment variables filecp ENV_SAMPLE .env#Defaults should work for local setup. But on production, env variables should be set for your server e.g. API_URL, FRONTEND_URL, etc.npm start#Visit localhost:3000
- Play around with the configurations
- Read the cues at every page with more resources to go deeper into concepts
If you want to extend code for more functionalities,checkout the documentation
- Assymetric Cryptography
- Digital Signatures : Verifying authenticity of message
- Forward Secrecy : A way to protect against future compromises of private key
- Encryption vs Signing
- Encryption vs Encoding
- Hashing vs Encoding cs Encryption vs Obfuscation
- Simply remove the token from the client
- Create a token blacklist
- Just keep token expiry times short and rotate them often
- Contingency Plans : allow the user to change an underlying user lookup ID with their login credentials
A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.
About
A demo to learn JWT by reverse engineering