Regarding the secret. How does that get managed on the server-side, between JWT creations and validations? Is it a static config string? Is a new one supposed to be generated for each unique user/session? Or, can I use the same secret (salt) for everything, as long as it's sufficiently complex?
This is something that most JWT articles/explanations omit, and perhaps it's taken for granted that a lot of developers haven't implemented an authorization system before, and therefore aren't sure how not to shoot themselves in the foot, security-wise.
Hello neimeier. What I have done for the secret is to add it to the user's row in the database. You will use the payload of the jwt to store the username/user id and when the user attempts to authenticate, you can verify the jwt against the secret stored in the users database row. This makes it easier to invalidate tokens as well, since if the user resets their secret in the database, every device connected will have to authenticate again.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hi, Rob. Thanks for the post.
Regarding the secret. How does that get managed on the server-side, between JWT creations and validations? Is it a static config string? Is a new one supposed to be generated for each unique user/session? Or, can I use the same secret (salt) for everything, as long as it's sufficiently complex?
This is something that most JWT articles/explanations omit, and perhaps it's taken for granted that a lot of developers haven't implemented an authorization system before, and therefore aren't sure how not to shoot themselves in the foot, security-wise.
Thanks.
Hello neimeier. What I have done for the secret is to add it to the user's row in the database. You will use the payload of the jwt to store the username/user id and when the user attempts to authenticate, you can verify the jwt against the secret stored in the users database row. This makes it easier to invalidate tokens as well, since if the user resets their secret in the database, every device connected will have to authenticate again.