re: Securing Node.js RESTful APIs with JSON Web Tokens VIEW POST

re: Great article but I still have some doubts. 1 - To create the token you have passed user._id parameter, but to check using verify function you have...

Thank you, I'm glad you liked it.

  1. This act of verifying users is called authorization. It means that a certain type of users has access rights to some resources. The verify function is checking whether this user has the access right. The tokens are only as a way of granting permission to the resource.

  2. Yes, you can add more properties to the object you sign the token with. Such as a roles array. But all the checking will be done inside a middleware function. However, beware. Never sign the token with the whole user object. This is very dangerous as the token can end up having the user's password. That's not something you want happening.

code of conduct - report abuse