great topic to cover! however what you actually want to send back to the user after login is just the jwt secret (which you also store attached to the user). the client (browser) code then uses jwt.sign to create tokens that get sent through the Authorization header and looks something like "Authorization: Bearer {token_here}". Auth protected endpoints on your end would inspect the authorization header and run jwt.verify to make sure that the token matches the jwt secret of the user. if so proceed. if not return 401 Unauthorized.
that is correct. on the server side (express js side), it's job is to verify the tokens being sent in the request to authorize the user. so express js auth middleware will most likely use jwt.verify . in your browser code, before making the request is where jwt.sign would be used to create a token that gets put inside of the request that is verified by your express js api. so when the user logs in you send them their jwt "secret". so express js and the user with the browser both have the secret. the user uses that secret to create jwt tokens. express js checks to see if that token is valid using the secret as well. I also forgot to mention that there should be another header field where they specify which account they are authorizing as. For me, I have used another header field called "Account" where their email is inserted. If you like I could create a fork from your code base and put together a quick example with an explainer. just let me know. keep up the great work!!
great topic to cover! however what you actually want to send back to the user after login is just the jwt secret (which you also store attached to the user). the client (browser) code then uses jwt.sign to create tokens that get sent through the Authorization header and looks something like "Authorization: Bearer {token_here}". Auth protected endpoints on your end would inspect the authorization header and run jwt.verify to make sure that the token matches the jwt secret of the user. if so proceed. if not return 401 Unauthorized.
Does that mean i do not have to write code to create the tokens, or where that piece of code be written?
that is correct. on the server side (express js side), it's job is to verify the tokens being sent in the request to authorize the user. so express js auth middleware will most likely use jwt.verify . in your browser code, before making the request is where jwt.sign would be used to create a token that gets put inside of the request that is verified by your express js api. so when the user logs in you send them their jwt "secret". so express js and the user with the browser both have the secret. the user uses that secret to create jwt tokens. express js checks to see if that token is valid using the secret as well. I also forgot to mention that there should be another header field where they specify which account they are authorizing as. For me, I have used another header field called "Account" where their email is inserted. If you like I could create a fork from your code base and put together a quick example with an explainer. just let me know. keep up the great work!!
Okay, I'd greatly appreciate that. It's pretty confusing for me here is the link to the repo github.com/M-Tee/SCAMP-Assesment