You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If so, this is a big security vulnerability in what seems to be one of the most widely cited examples of implementing auth for Sapper applications. I think we should update the example to use jwt.verify.
The text was updated successfully, but these errors were encountered:
The token isn't verified on backend in his code.
I guess you should use jwt.verify in the backend to avoid spreading the access token secret on 2 different servers. In this way using jwt.decode on the server-side is ok.
Yes - as you've noticed this is a vastly simplified example. I'm not here to teach JWT best practices, we could go into all sorts of detail about how to verify authenticity, expire, renew, etc!
It's important to keep things as simple as possible so that the code is easy to understand. Decoding an entire JWT to set an authenticated boolean is also not particularly useful :)
If you're using JWT in your app - it's essential to understand what a JWT is and how it works, but that's out of scope for this example :)
Hello,
IIUC, the server will accept any JWT.
If so, this is a big security vulnerability in what seems to be one of the most widely cited examples of implementing auth for Sapper applications. I think we should update the example to use
jwt.verify
.The text was updated successfully, but these errors were encountered: