I am developing an Angular web app that communicates to its back-end via RESTful API. Currently I am using JWTs to store the state (current user ID, etc). I use jsonwebtoken and passport-jwt packages to implement the JWT with my Node.js-Express application.
Sometimes I might need to store in the state some information (for example, a secret encryption key) that is relevant to the session, but that should not be known by the user.
Since the JWT payload is signed but not encrypted, its contents are plainly visible to anyone who cares to decode it, it is not appropriate to store secret content directly in the payload. While I could implement some kind of self-made encryption either of the whole JWT string or just the secret variable value in the payload, I am looking for the "right" or "traditional" way to handle this.
via Passiday
No comments:
Post a Comment