Sending jwt token and user data from external backend
Answered
Iridescent shark posted this in #help-forum
Iridescent sharkOP
I have a sign in method that send username, image and jwt token that contains user id and role. Should I also send user role outside of jwt token to use it in route guards in next app or I should every time decode jwt token in react to check for role? Which way is better?
Answered by B33fb0n3
when you store your payload, the client can modify it. So don't trust the payload object.
If you need to trust the payload, then get the payload from the verified token.
Normally that "verify and get payload from verify" is one backend call. Then you have a secure payload and a payload that you can trust
If you need to trust the payload, then get the payload from the verified token.
Normally that "verify and get payload from verify" is one backend call. Then you have a secure payload and a payload that you can trust
7 Replies
I prefer storing the token and also the payload
if you need to verify the token, you can verify it and then trust the payload and if you already trust the payload, that you can get it directly
Iridescent sharkOP
@B33fb0n3 ,thank you, is it secure to send role and id outside of jwt token? Also if it isn't hard for you to answer, should I validate user role that I receive in jwt on backend against database or is it normal to trust jwt data?
when you store your payload, the client can modify it. So don't trust the payload object.
If you need to trust the payload, then get the payload from the verified token.
Normally that "verify and get payload from verify" is one backend call. Then you have a secure payload and a payload that you can trust
If you need to trust the payload, then get the payload from the verified token.
Normally that "verify and get payload from verify" is one backend call. Then you have a secure payload and a payload that you can trust
Answer
Iridescent sharkOP
got it, thank you
please mark solution