By: Saad Abbasi
Protecting endpoint in Node.js using JWT
WHO AM I?
More...
- Technical Lead at Incubation Center (DUET)
- Full Stack JavaScript Developer
- Freelance Developer (JS/IoT)
- 1.5+ years in tech industry
- Security Enthusiast
- ...
/saadi.dev
/isaadabbasi
What problem we want to solve?
Thats simply how server NOT works
Session IDs.
-
Uses Cookies/ LocalStorage
-
No Validation on Server
-
Vulnerable to XSS/ MITM
Auth Guards.
- Client side JS
- Uses LocalStorage
- Vulnerable to XSS/ Rev Engg
JSON Web Token (JWT)
"JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties."
- jwt.io
Claims?
"Formally request or demand; that one owns something."
Non-repudiation?
Non-repudiation is the assurance that someone cannot deny somthing.
Def.
Consider
-
All the basic stuff to a web server needs
-
Encrypted the passwords
-
Implemented Authentication Model
Before sending "200 OK", Sign a JWT.
Options JWT provides
Algorithm Support
... and Cookify it.
const token = ...;
res.cookie(token, {
secure: true, // works only over TLS (HTTPS).
httpOnly: true // JS is unable to touch the cookie.
});Wrapping Up.
- Use async Implementation of JWT
- Use RS256 or higher
- Use different keys for TLS and JWTs
- Use keys generated with open-ssl in production
- Use same expiry for cookies and JWTs
- Use a middle-ware to check and handle tokens
- Use 2048 bit or higher algorithms
That's It, Thanks.
github.com/isaadabbasi
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImVtYWlsMTBAZ21haWwuY29tIiwiX2lkIjoiNTlkNjVlYTQ0ZmU0MTg2ZjE5ODQxYzIzIiwiY29udGFjdCI6IjAzMDAxMDciLCJpYXQiOjE1MDcyODI4OTYsImV4cCI6MTUwNzI4NjQ5Nn0.GlxbnVzMtBJyo_Gb4qSsdciuNQ8SqFj9-XlIUdfU8F3QIQpcMH81xj5ftvTE9ajrecOb8lSZZj8xbFMGcdgjyOj3WQIh2-zTu5v4zYlHgWa0ZVAHDW8tT-ehTKt7TpVo9NPmH-8r1jRJVelT80gBPfhN5T1hn89akwQ6ZZRRCDwWA1BaRrzBxlaqKDgZ0SGaCWATt7o5QyyBTWT9c0M1OiH0qNhJuRyDE7uPVOhqi2Ju7GlgwojyDI15p5KoYZp4TqmbRgCu9f2qPkSkkCjb_fAL14CEMqdp-5PRJNb3hp8o_BR_COGEpLbrLLj-o8k6zB_GY2NEW9tPPw5-EMXupg"
Protecting endpoint in nodejs using JWT.
By Saad Abbasi
