By: Saad Abbasi

Protecting endpoint in Node.js using JWT

WHO AM I?

More...

  • Technical Lead at Incubation Center (DUET)
  • Full Stack JavaScript Developer
  • Freelance Developer (JS/IoT)
  • 1.5+ years in tech industry
  • Security Enthusiast
  • ...

/saadi.dev

/isaadabbasi

What problem we want to solve?

Thats simply how server NOT works

Session IDs.

  • Uses Cookies/ LocalStorage

  • No Validation on Server

  • Vulnerable to XSS/ MITM

Auth Guards.

  • Client side JS
  • Uses LocalStorage
  • Vulnerable to XSS/ Rev Engg

JSON Web Token (JWT)

"JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties."

- jwt.io

Claims?

"Formally request or demand; that one owns something."

- Google

Non-repudiation?

Non-repudiation is the assurance that someone cannot deny somthing.

Def.

Consider

  • All the basic stuff to a web server needs

  • Encrypted the passwords

  • Implemented Authentication Model

Before sending "200 OK", Sign a JWT.

Options JWT provides

Algorithm Support

... and Cookify it.

const token = ...;
res.cookie(token, {
    secure: true, // works only over TLS (HTTPS).
    httpOnly: true // JS is unable to touch the cookie.
});

Wrapping Up.

  • Use async Implementation of JWT
  • Use RS256 or higher
  • Use different keys for TLS and JWTs
  • Use keys generated with open-ssl in production
  • Use same expiry for cookies and JWTs
  • Use a middle-ware to check and handle tokens
  • Use 2048 bit or higher algorithms

That's It, Thanks.

github.com/isaadabbasi

"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImVtYWlsMTBAZ21haWwuY29tIiwiX2lkIjoiNTlkNjVlYTQ0ZmU0MTg2ZjE5ODQxYzIzIiwiY29udGFjdCI6IjAzMDAxMDciLCJpYXQiOjE1MDcyODI4OTYsImV4cCI6MTUwNzI4NjQ5Nn0.GlxbnVzMtBJyo_Gb4qSsdciuNQ8SqFj9-XlIUdfU8F3QIQpcMH81xj5ftvTE9ajrecOb8lSZZj8xbFMGcdgjyOj3WQIh2-zTu5v4zYlHgWa0ZVAHDW8tT-ehTKt7TpVo9NPmH-8r1jRJVelT80gBPfhN5T1hn89akwQ6ZZRRCDwWA1BaRrzBxlaqKDgZ0SGaCWATt7o5QyyBTWT9c0M1OiH0qNhJuRyDE7uPVOhqi2Ju7GlgwojyDI15p5KoYZp4TqmbRgCu9f2qPkSkkCjb_fAL14CEMqdp-5PRJNb3hp8o_BR_COGEpLbrLLj-o8k6zB_GY2NEW9tPPw5-EMXupg"