Home » Javascript » Able to retrieve endpoint regardless of secret – jwt-simple (Node/Express)

Able to retrieve endpoint regardless of secret – jwt-simple (Node/Express)

Posted by: admin June 30, 2018 Leave a comment

Questions:

I have an endpoint. I also have middleware. This middleware checks if the call from the front end has a valid RS256 token with it. I’m using jwt-simple to do so.

I’m able to retrieve the data from my endpoint fine, but if I were to use any other JWT token, it would work. I need to validate the specific token somehow. I would have thought instead of then grabbing a property from the decoded object and check if it’s what I’m looking for I would just check before the decoded process with the secret, but not sure where that would be since I’m generating the JWT token from another application.

app.js

app.use((req, res, next) => {
    if(!req.headers.authorization){
        return res.status(403).json({ error: 'No credentials sent!'});
    } else {
        let token = req.headers.authorization.split(' ')[1]

        var secret = new Buffer('unknown').toString('base64')
        var decoded = jwt.decode(token, secret);

        if(!decoded){
            return res.status(403).json({
                error: 'invalid token'
            }); 
        }
    }
    next();
})
Answers: