What is JSON Web Token and how does it help to keep secure NodeJS?

JSON Web Token (JWT) is a JSON-based open standard for creating access tokens that assert some number of claims. JWT claims can be typically used to pass identity of authenticated users between an identity provider and a service provider, or any other type of claims as required by business processes.

JWT relies on other JSON-based standards: JWS (JSON Web Signature) and JWE (JSON Web Encryption).

It’s a way of encrypting a value, in turn creating a unique token that users use as an identifier. This token verifies your identity. It can authenticate who you are, and authorize various resources you have access to.

How does it work?

A JWT is an encoded string of characters which is safe to send between two computers if they both have HTTPS. The token represents a value that is accessible only by the computer that has access to the secret key with which it was encrypted.

In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned and must be saved locally, instead of the traditional approach of creating a session in the server and returning a cookie.

Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema.

A stateless authentication mechanism as the user state is never saved in server memory.

The server's protected routes will check for a valid JWT in the Authorization header, and if it is present, the user will be allowed to access protected resources.

For instance, a user wants to sign in to their account. They send a request with the required credentials such as email and password to the server. The server checks to see if the credentials are valid. If they are, the server creates a token using the desired payload and a secret key. This string of characters that results from the encryption is called a token. Then the server sends it back to the client. The client, in turn, saves the token to use it in every other request the user will send. The practice of adding a token to the request headers is a way of authorizing the user to access resources.

Advantages of JWT

Compact

JWT is compact, which means it can be sent along with HTTP request either as a body or as a header attribute.

Security

There is no need to worry about cross-site request forgery (CSRF) attacks.

Stateless/self-contained

The token contains all the information to identify the user, which eliminates the need for the session state. If using a load balancer, we can pass the user to any server, instead of being bound to the same server we logged in on. This also enhances performance, since there is no server-side lookup for deserialization on each request

Reusability

You can have many separate servers that run on multiple platforms and domains and reuse the same token for authenticating the user. It is easy to build an application that shares permissions with another application.

When use JSON Web Tokens?

Some scenarios where JSON Web Tokens are used for:

To authorization

This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign-On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.

To information exchange

JWTs are a good way of securely transmitting information between parties. Because JWTs can be signed - for example, using public/private key pairs - you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.

 

You could add an additional layer of security by storing a record of issued tokens on the server, then verifying them against that record on each subsequent request. This would prevent a third-party from “spoofing” a token, and also allows the server to invalidate a token.