clarkk clarkk - 1 month ago 21
Node.js Question

decode jwt token - is it secure?

Have setup a test server with express, socket.io and a token-based authentication with jwt

Have looked at this tutorial
https://auth0.com/blog/2014/01/15/auth-with-socket-io/

On the server-side the tutorial logs the decoded token

console.log(socket.handshake.decoded_token.email, 'connected');


But when I try to log
socket.handshake.decoded_token
the variable is undefined..
socket.handshake
doesn't contain any variables with the decoded token

So.. I tried to google how to decode the token and found this page
https://developers.google.com/wallet/digital/docs/jwtdecoder

I pasted the public token and the script decoded the token without the jwtSecret!? Hmmm... And then I'm thinking.. How can it be secure if the script can decode the token without the secret!?

The public token which is returned to the client as authentication

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6ImNsYXJrIiwiZW1haWwiOiJjbGFya0BlbGVjdHJvYmVhdC5kayIsImlhdCI6MTQwMzczMTkyMSwiZXhwIjoxNDAzNzM1NTIxfQ.mVFymk6gKBPmcVObB_3ydqbJTlcv4eVNYBcahsjg0g8

dc5 dc5
Answer

The token is not encrypted, just encoded.

The signature, built with your secret, is the important bit and ensures that the token hasn't been tampered with.

Here's a decent (and short) writeup that explains that in a bit more detail