Team JWT, I have created a token using jwt.sign where I have passed my own secret and then I copied the token pasted it on jwt.io website and I was amazed it decodes my token without any secret
and showing usernames and passwords.
Here Is the toke for Demo purpose: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2Vybm1hZSI6InNzYXR5YW1jaGF1aGFuIiwicGFzc3dvcmQiOiJ3aHlpdGlzbWUiLCJpYXQiOjE1ODUxMzM0ODMsImV4cCI6MTU4NTM5MjY4M30.bKtmn03-ZnAAzNxnNk9ZPlrsbbk8lUThMt24gwL-r2w
I just wanted to know is this secure to do token-based authentication in a web app.
jwt.sign is for signing a token, not encrypting it. With signing, you use a private key to sign a message so that a consumer of the message can use a public key (or the private key, depending if you chose a symmetric algorithm to sign the payload) to verify its authenticity.
For more information; check out this document.
Also, this RFC specifies the JSON web token standard, as well as what some JWT claims are used for.
Hope this helps!
To add to @yacineMTB 's response, you can decode a token without verifying its signature. This is why you see this behavior with jwt.io. This distinction is referenced in the readme here: https://github.com/auth0/node-jsonwebtoken#jwtdecodetoken--options
If it is Then why there is a private key or secret key is passed during signing a jwt token?
@ssatyamchauhan to sign its payload. So that when you receive the token you can verify it was not tampered with. This uses JWS (JSON Web Signatures) to provide integrity protection, NOT CONFIDENTIALITY.
For confidentiality various JWE (JSON Web Encryption) schemes are available, not in this package tho.
Also, in jwt.io, if you provide your secret under the VERIFY SIGNATURE section, you will see Signature Verified. Without that, you will see Invalid Signature.
@panva It means there is no way to encrypt the payload? Only the signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
jsonwebtoken does not provide encryption, only signatures.
https://github.com/panva/jose can be used for both signing and encryption, but please consider reading up on the topic and specifications first before jumping in and choosing a cipher suite poorly for your use case.
Most helpful comment
jsonwebtokendoes not provide encryption, only signatures.https://github.com/panva/jose can be used for both signing and encryption, but please consider reading up on the topic and specifications first before jumping in and choosing a cipher suite poorly for your use case.