Skip to content

notumar/auth-jwt

 
 

Repository files navigation

Banner

A demo to learn JWT by reverse engineering

How To Use It

  1. Head over to the demo hosted on repl.it (Or run it on your local machine : clone repo -> npm install -> npm start)
  2. Play around with the configurations
  3. Read the cues at every page with more resources to go deeper into concepts

Demo GIF

Documentation

If you want to extend code for more functionalities, checkout the documentation

References

About Tokens

Cryptography

Invalidating JWT

  • Simply remove the token from the client
  • Create a token blacklist
  • Just keep token expiry times short and rotate them often
  • Contingency Plans : allow the user to change an underlying user lookup ID with their login credentials

A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.

Securtity Risks

Implementations(Examples/Demos)

Other Useful Tools

About

A demo to learn JWT by reverse engineering

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 100.0%