2

I want to allow users to reset their password. In order to do so, I first check if their email exists in the database, if so, I send them an email with a link to a reset-password page. In order to make sure the link is secure, the latter is made with a jwt token that is only valid for 15mn.

However, the url cannot be reached because there are "." in the jwt:

http://www.myapp.com/reset-password/eyJhbGciOInR5cC.ICJlywY2svp6eL98LHd.RpYylmPI

If I remove the dots, the url is understood (I use React router by the way). How to fix this? Is there another way to achieve this reset formula with a temporary url?

DoneDeal0
  • 5,273
  • 13
  • 55
  • 114
  • `.` is not invalid nor does it need encoding with encodeURIComponent etc, your need to fix how you handle that incoming route parameter as thats where the issue is. btw a jwt seems excessive when you can make a small hash and store in db with a date – Lawrence Cherone Oct 01 '20 at 21:19
  • Just now tried to catch string with dots, and express successfully catches it. Can you provide more info? Used express@4.17.1 `app.get('/reset/:pass', (req, res) => { /* decrypt here, and continue */ res.send(req.params.pass)})` – Denis Rohlinsky Oct 01 '20 at 21:26
  • @DenisRohlinsky I use React and react-router. It's a single page application, the pages are not served by a server. The server is only here to handle db transactions. My route is defined as such:. It crashes if the token contains ".". – DoneDeal0 Oct 02 '20 at 08:32
  • @LawrenceCherone What would be your strategy with the hash in the db? – DoneDeal0 Oct 02 '20 at 08:33
  • You can replace the periods with `%2E` or append a trailing slash to the URL: `https://www.example.com/your.JWT/` rather than `https://www.example.com/your.JWT`. See [How to encode periods for URLs in Javascript?](https://stackoverflow.com/questions/4938900/how-to-encode-periods-for-urls-in-javascript) – ggorlen Jun 30 '22 at 00:55

1 Answers1

-2

Instead of sending JWT token as GET param, send your JWT token through Authorization: Bearer which I would recommend to do (For more details see https://www.rfc-editor.org/rfc/rfc6750)

If you use Axios for your requests, then you can check out answer right over there

As an example of headers you can find here

Community
  • 1
  • 1
FixMK
  • 42
  • 2