Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Example queries DB for each request #112

Closed
mathieuprog opened this issue May 4, 2017 · 1 comment
Closed

Example queries DB for each request #112

mathieuprog opened this issue May 4, 2017 · 1 comment

Comments

@mathieuprog
Copy link

As I understand it, the user is authenticated once with e.g. email/password and a token is generated. Then this library come to hand and allows me to validate the token received on each request requiring authentication.

One advantage of JWT tokens, is that the DB could potentially be queried only once (during first authentication/generation of token). However, in this default example, the DB will be queried for each request (requiring authentication) ; the example not only validates the token with the secret, but also checks if the id exists in the database and fetches the user ; is there any reason for that?

Shouldn't I just return the user id instead of fetching the user every time :
return done(null, {id: jwt_payload.sub});
@mikenicholson
Copy link
Owner

I see where you're coming from - JWT's can be used as a means to provide stateless auth for an application which can reduce DB queries, etc. This all depends on how you implement the authentication scheme. This strategy does not provide a full authentication scheme on its own and is intended to be used as part of a larger auth scheme implemented by the developer.

Per RFC 7519:

JSON Web Token (JWT) is a compact, URL-safe means of representing
claims to be transferred between two parties.

In the case of the example code - it is a simplified snipped of an application that relied on a JWT sent from an Android application to provide authentication for users in our database. We validated the JWT against keys that Google made available via a public URL. Once we validated the JWT provided by the app we switched the client over to our own internal authentication scheme. This is a totally valid use of JWT's that required a DB query each time a JWT was provided to the endpoint.

The example is only intended to show how to construct and use the strategy. Its not intended to show best practices for implementing auth schemes. Since this module is intentionally small and intended to be used as only part of an authentication scheme it is probably beyond the scope of the README to presume any best practices or how the passport-jwt module should be used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mikenicholson @mathieuprog