Great article but I still have some doubts.
1 - To create the token you have passed user._id parameter, but to check using verify function you haven't passed the same parameter. In this case can an user use a token of other user?
2 - Is possible to add inside token other parameters to check after, like a list of permissions? In your example all users have the same access, but in a case where different users has different access levels, we need a way to check it inside middleware function, right?
Thank you, I'm glad you liked it.
This act of verifying users is called authorization. It means that a certain type of users has access rights to some resources. The verify function is checking whether this user has the access right. The tokens are only as a way of granting permission to the resource.
Yes, you can add more properties to the object you sign the token with. Such as a roles array. But all the checking will be done inside a middleware function. However, beware. Never sign the token with the whole user object. This is very dangerous as the token can end up having the user's password. That's not something you want happening.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.