Home » Javascript » Able to retrieve endpoint regardless of secret – jwt-simple (Node/Express)

Able to retrieve endpoint regardless of secret – jwt-simple (Node/Express)

Posted by: admin June 30, 2018 Leave a comment


I have an endpoint. I also have middleware. This middleware checks if the call from the front end has a valid RS256 token with it. I’m using jwt-simple to do so.

I’m able to retrieve the data from my endpoint fine, but if I were to use any other JWT token, it would work. I need to validate the specific token somehow. I would have thought instead of then grabbing a property from the decoded object and check if it’s what I’m looking for I would just check before the decoded process with the secret, but not sure where that would be since I’m generating the JWT token from another application.


app.use((req, res, next) => {
        return res.status(403).json({ error: 'No credentials sent!'});
    } else {
        let token = req.headers.authorization.split(' ')[1]

        var secret = new Buffer('unknown').toString('base64')
        var decoded = jwt.decode(token, secret);

            return res.status(403).json({
                error: 'invalid token'