Example is insecure by default

[Clee681]

Hello,

IIUC, the server will accept any JWT.

const profile = token ? jwt.decode(token) : false;
// omitted code
authenticated: !!profile

If so, this is a big security vulnerability in what seems to be one of the most widely cited examples of implementing auth for Sapper applications. I think we should update the example to use jwt.verify.

[sylvain-reynaud]

The token isn't verified on backend in his code.
I guess you should use jwt.verify in the backend to avoid spreading the access token secret on 2 different servers. In this way using jwt.decode on the server-side is ok.

[antony]

Yes - as you've noticed this is a vastly simplified example. I'm not here to teach JWT best practices, we could go into all sorts of detail about how to verify authenticity, expire, renew, etc!

It's important to keep things as simple as possible so that the code is easy to understand. Decoding an entire JWT to set an authenticated boolean is also not particularly useful :)

If you're using JWT in your app - it's essential to understand what a JWT is and how it works, but that's out of scope for this example :)