re: Securing Node.js RESTful APIs with JSON Web Tokens VIEW POST

FULL DISCUSSION
 

Thank you for your reference. One security minded remark: You should never return a "user not found" message (or that the password is wrong) to the user. This is called an account enumeration vulnerability. This would allow someone else to find out if a user exists in your system, which then allows them use this for a spam list, phishing and other things.

It's better to just say the provided credentials were not correct or something else sounding more generic.

This is also important for password reset functions, where it's better to just send further instructions to the provided e-mail (if an account exists) and don't tell the browser/client you found/didn't find an account with that e-mail address. Just say, that if an account exists with the provided e-mail address, check your inbox.

 

Yes, I agree fully. For demo purposes, I've made the explanations and code examples as simple as possible. But, I'd always suggest only returning a vague message such as "The credentials you entered are incorrect."

The password reset you mentioned is also a very delicate matter. I would never risk having it any other way than through e-mail instructions.

Thanks for this feedback and I'm glad you liked the article. :)

code of conduct - report abuse