How is angular-jwt decoding my JWT without a secre

2019-04-21 08:47发布

The Auth0 team created something called "angular-jwt" which has a jwtHelper class. This thing successfully decodes a local JWT without the secret I used on the server. How did this happen? If they are not secure, then what is the point of using a secret to sign/encrypt them?

Function on the server that encrypts the token (using "jsonwebtoken"):

function createToken (user) {
    return jwt.sign(_.omit(user, 'password'), config.secret, { expiresInMinutes: 60*5 });
}

Code from the client:

angular
    .module('sample.home', [
        'ui.router',
        'angular-storage',
        'angular-jwt'
    ])
    .config(function ($stateProvider) {
        $stateProvider
            .state('home', {
                url: '/',
                controller: 'HomeCtrl',
                templateUrl: 'modules/home/home.html',
                data: { requiresLogin: true }
            })
    })
    .controller('HomeCtrl', function homeController ($scope, $http, store, jwtHelper) {

        $scope.jwt = store.get('jwt');
        $scope.decodedJwt = $scope.jwt && jwtHelper.decodeToken($scope.jwt);

    });

Here's a link to the full example: http://github.com/auth0/ang...

标签： node.js express jwt auth0 express-jwt

1条回答

仙女界的扛把子

2楼-- · 2019-04-21 09:08

A JWT uses encoding, not encryption. The data that the token contains is not a secret, anyone can decode it and view. What the server does, is it signs the token using a secret (in your case, config.secret), which effectively makes it impossible to modify the token without knowing the secret. Hence, only the server will be able to change the contents of the token, but anyone can read it.

0人赞添加讨论(0) 举报

How is angular-jwt decoding my JWT without a secre

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间