I am developing an iOS application which requires users to be able to sign in, register an account and log out.
In the app, when logged in, they can do a variety of stuff. But that doesn't (really) matter now. I use Node.js as backend and am in the process of sending back a JSON Web Token (JWT) when the credentials are correct. Now I am merely wondering if this is really secure..
I have been looking around on the Internet for the last week for the safest way to build an authentication system based on username and password. I store my passwords using bcrypt in a MySQL database. Matching them works fine, so I can actually log in - but I want to generate a key to allow access afterwards so the user doesn't have to log in on every page he visits.
JWT seemed like a good option, but the more I read about it, the more I am convinced it is not as safe as I want it to be. After all, I don't want someone to retrieve a JSON Web Token, change it to something else, and suddenly have access to someone else's account.
An example of how I use JWT is shown below:
const payload = {
userName: rows[0].userName
};
var token = jwt.sign(payload, secret, {
// expiresInMinutes: 1440
});
If I try to decode this, in no time I can retrieve the userName. That can't be safe.
I have researched a lot about this, there are a lot of discussions, but I fail to understand why so many applications use it then. I must be missing something in terms of security or how I can make this a better system to use. If not, are there any other systems I should look into to authenticate my users using username and password and keeping them logged in?
