Node-jsonwebtoken: Less Secure (jwt token decodes without any secret)

Created on 25 Mar 2020  路  7Comments  路  Source: auth0/node-jsonwebtoken

Team JWT, I have created a token using jwt.sign where I have passed my own secret and then I copied the token pasted it on jwt.io website and I was amazed it decodes my token without any secret
and showing usernames and passwords.

Here Is the toke for Demo purpose: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2Vybm1hZSI6InNzYXR5YW1jaGF1aGFuIiwicGFzc3dvcmQiOiJ3aHlpdGlzbWUiLCJpYXQiOjE1ODUxMzM0ODMsImV4cCI6MTU4NTM5MjY4M30.bKtmn03-ZnAAzNxnNk9ZPlrsbbk8lUThMt24gwL-r2w
I just wanted to know is this secure to do token-based authentication in a web app.

Hoping for the quick response.

Most helpful comment

jsonwebtoken does not provide encryption, only signatures.

https://github.com/panva/jose can be used for both signing and encryption, but please consider reading up on the topic and specifications first before jumping in and choosing a cipher suite poorly for your use case.

All 7 comments

jwt.sign is for signing a token, not encrypting it. With signing, you use a private key to sign a message so that a consumer of the message can use a public key (or the private key, depending if you chose a symmetric algorithm to sign the payload) to verify its authenticity.

For more information; check out this document.
Also, this RFC specifies the JSON web token standard, as well as what some JWT claims are used for.

Hope this helps!

To add to @yacineMTB 's response, you can decode a token without verifying its signature. This is why you see this behavior with jwt.io. This distinction is referenced in the readme here: https://github.com/auth0/node-jsonwebtoken#jwtdecodetoken--options

If it is Then why there is a private key or secret key is passed during signing a jwt token?

@ssatyamchauhan to sign its payload. So that when you receive the token you can verify it was not tampered with. This uses JWS (JSON Web Signatures) to provide integrity protection, NOT CONFIDENTIALITY.

For confidentiality various JWE (JSON Web Encryption) schemes are available, not in this package tho.

Also, in jwt.io, if you provide your secret under the VERIFY SIGNATURE section, you will see Signature Verified. Without that, you will see Invalid Signature.

@panva It means there is no way to encrypt the payload? Only the signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

jsonwebtoken does not provide encryption, only signatures.

https://github.com/panva/jose can be used for both signing and encryption, but please consider reading up on the topic and specifications first before jumping in and choosing a cipher suite poorly for your use case.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ngminhduong picture ngminhduong  路  3Comments

usamamashkoor picture usamamashkoor  路  4Comments

dwelle picture dwelle  路  3Comments

ehartford picture ehartford  路  3Comments

yvele picture yvele  路  4Comments