DEV Community

Cover image for Should I always verify JSON Web Tokens?
Faiz Azhar
Faiz Azhar

Posted on • Originally published at blog.faizazhar.com

1

Should I always verify JSON Web Tokens?

I like one of the answers in this Reddit post.


Allow or deny at entrance

Verify ticket at the entrance

"Imagine you run a theme park with a whole bunch of rides. People pay once at the entrance gate and can go on any rides they want, so you assume that anyone who gets into the park must have paid their way in, so you don't think you need to check if people have paid before they get on the rides."

  • This is the analogy of the traditional VPN.

Check presence of ticket for every rides

Verify ticket for every rides

"You realise that some people are climbing over the fence and getting on all the rides for free. You decide to issue everyone who comes through the entrance with a ticket, and instruct your ride operators to check that people have tickets before letting them on the ride."

  • This is the analogy of the zero-trust model.

Verify the validity of the tickets

Alt Text

"This works for a while, but soon you realise that people are buying one ticket then climbing over the fence on their subsequent visit, only paying once instead of twice. Even worse, some people bought one ticket and are now giving away photocopies of it for free. To fix this you get your salesperson to write the date when the ticket was issued on the ticket and sign it. You then tell the ride operators to make sure that the ticket is in date and the signature matches. Now you know that a ticket came from your salesperson, and it can only be used once."


Lessons

  • If you don't check your JWTs at all, literally anyone could get data from your API.
  • If you check for the presence of a JWT but don't verify it, people can present whatever JWT they want and get the API to think that they're anyone.
  • Your API is only secure if you verify that you trust it before using it.

Heroku

This site is built on Heroku

Join the ranks of developers at Salesforce, Airbase, DEV, and more who deploy their mission critical applications on Heroku. Sign up today and launch your first app!

Get Started

Top comments (1)

Collapse
 
andmoredev profile image
Andres Moreno

Great analogies!

Postmark Image

Speedy emails, satisfied customers

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.

Sign up

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay