0

I have a working authentification process with a React front and a node server. When the user logs-in, the server returns an encrypted jwt with a payload containing potentially sensitive information (email, geolocation, etc). The payload is then stored in a context. If the users comes back to the website later, the app will check if a valid token is in localStorage and will then populate the context again. This reduces the load on the server and speeds-up the app.

React is safe from xss, so technically, I should not be worried about any thief. However, I want to make things as safe as possible and don't do stupid bets.

I use jsonwebtoken node's library. It allows me to encrypt the jwt with stronger algorithms such as ES512, which is much safer than a base-64 encryption. If an attacker steals the jwt, will he manage to decypher it without the secret key? Isn't this process actually safe?

If not, then I'll just send a basic jwt with user-id, and automatically fetch the user's infos based on it every time the user refresh the page or visits the website. Thanks for your input.

DoneDeal0
  • 5,273
  • 13
  • 55
  • 114
  • JWTs are generally signed, not encrypted. So they are readable without the key. They just can't be *forged* without the key. Are you actually encrypting as well as signing the JWT? By the way, JWTs are not ever signed or encrypted with just Base64. – Joe Feb 26 '21 at 20:46
  • *It allows me to encrypt the jwt with stronger algorithms such as ES512, which is much safer than a base-64 encryption* - Base64 is no encryption. ES512 is a signature algorithm, but no matter what kind of algorithm is used for the signature, the payload can always be decoded. If you need encryption, look for JWE, (JSON Web Encryption, encrypted tokens). – jps Feb 26 '21 at 20:47
  • Does this answer your question? [Is it safe to store a JWT in localStorage with ReactJS?](https://stackoverflow.com/questions/44133536/is-it-safe-to-store-a-jwt-in-localstorage-with-reactjs) – Ajeet Shah Feb 26 '21 at 20:48

0 Answers0