Hi, why use jwt.decode, not jwt.verify

[jet10000]

polka()
	.use(
		compression({ threshold: 0 }),
    sirv('static', { dev }),
    cookieParser(),
    (req, res, next) => {
      const token = req.cookies['my-jwt']
      const profile = token ? jwt.decode(token) : false

https://github.com/antony/sapper-authentication-demo/blob/master/src/server.js

Is this safe? The client can construct jwt that can be decoded.

[antony]

@jet10000 You should watch the talk. There are no secrets in the Sapper part of the application, because it doesn't do anything secure.

Security and authenticity of tokens is all done on the server side, where secrets are safe.

[jet10000]

That mean sapper just share session info between sapper pages and components？ all requests api sever need sapper send jwt to api server, and api server self verify jwt and decode jwt info, is that right?

[antony]

Your browser sends cookies to the api, the api checks authenticity. Watch the talk :)

[jet10000]

Sapper official example show blog posts that a json data file , if the posts from api server, so this request by sapper.

Browser(with cookie) -> sapper -> api sever

[antony]

This is also fine, but requests direct to the API will also receive the cookie. Requests anywhere on the same domain will recieve the cookie. The only place that can't see the cookie is the Sapper clientside app.

On Fri, 8 May 2020 at 14:36, jET ***@***.***> wrote: Sapper official example show blog posts that a json data file , if the posts from api server, so this request by sapper. Browser(with cookie) -> sapper -> api sever — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#5 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABVORL4G4GI7KQRJR4CJW3RQQDFPANCNFSM4M3R4DLA> .

--

…

________________________________ ꜽ . antony jones . http://www.enzy.org

[jet10000]

The only place that can't see the cookie is the Sapper clientside app.

I am a little confused, can you give an example?

[antony]

The talk explains everything as clearly as I can.

On Fri, 8 May 2020 at 17:19, jET ***@***.***> wrote: The only place that can't see the cookie is the Sapper clientside app. I am a little confused, can you give an example? — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#5 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABVORNIP2TL5MW3ACZV7ULRQQWKTANCNFSM4M3R4DLA> .

--

…

________________________________ ꜽ . antony jones . http://www.enzy.org