{"id":13779304,"url":"https://github.com/gitcommitshow/auth-jwt","last_synced_at":"2025-04-09T20:07:17.212Z","repository":{"id":39695642,"uuid":"282864192","full_name":"gitcommitshow/auth-jwt","owner":"gitcommitshow","description":"A demo to learn JWT by reverse engineering","archived":false,"fork":false,"pushed_at":"2022-09-02T04:19:47.000Z","size":4951,"stargazers_count":245,"open_issues_count":11,"forks_count":19,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-04-09T20:07:11.430Z","etag":null,"topics":["authentication","express","jwt","learning-by-doing","rfc-7519","rsa","signature"],"latest_commit_sha":null,"homepage":"https://auth-jwt--gitcommitshow.repl.co/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gitcommitshow.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-07-27T10:27:19.000Z","updated_at":"2024-12-03T01:21:39.000Z","dependencies_parsed_at":"2022-08-02T11:51:52.536Z","dependency_job_id":null,"html_url":"https://github.com/gitcommitshow/auth-jwt","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitcommitshow%2Fauth-jwt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitcommitshow%2Fauth-jwt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitcommitshow%2Fauth-jwt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitcommitshow%2Fauth-jwt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gitcommitshow","download_url":"https://codeload.github.com/gitcommitshow/auth-jwt/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248103872,"owners_count":21048245,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","express","jwt","learning-by-doing","rfc-7519","rsa","signature"],"created_at":"2024-08-03T18:01:03.652Z","updated_at":"2025-04-09T20:07:17.188Z","avatar_url":"https://github.com/gitcommitshow.png","language":"TypeScript","readme":"![Banner](./banner_auth_jwt.png)\n\nA demo to learn JWT by reverse engineering\n\n## How To Use It\n\n[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/gitcommitshow/auth-jwt)\n\n1. Head over to the [demo hosted on repl.it](https://auth-jwt--gitcommitshow.repl.co/)\n\nOr run it on your local machine by cloning the repo and running following commands\n```bash\n#Install dependencies\nnpm install\n\n#Create environment variables file\ncp ENV_SAMPLE .env\n#Defaults should work for local setup. But on production, env variables should be set for your server e.g. API_URL, FRONTEND_URL, etc.\n\nnpm start\n#Visit localhost:3000\n```\n2. Play around with the configurations\n3. Read the cues at every page with more resources to go deeper into concepts\n\n\n![Demo GIF](./demo.gif)\n\n## Documentation\n\nIf you want to extend code for more functionalities, [checkout the documentation](./docs.md)\n\n## References\n\n### About Tokens\n\n* [JWT](https://tools.ietf.org/html/rfc7519)\n* [JWT vs Opaque tokens](https://medium.com/hackernoon/all-you-need-to-know-about-user-session-security-ee5245e6bdad)\n\n\n### Cryptography\n\n* [Assymetric Cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography)\n* [Digital Signatures : Verifying authenticity of message](https://en.wikipedia.org/wiki/Digital_signature)\n* [Forward Secrecy :  A way to protect against future compromises of private key](https://en.wikipedia.org/wiki/Forward_secrecy)\n* [Encryption vs Signing](https://stackoverflow.com/questions/454048/what-is-the-difference-between-encrypting-and-signing-in-asymmetric-encryption)\n* [Encryption vs Encoding](https://stackoverflow.com/questions/4657416/difference-between-encoding-and-encryption)\n* [Hashing vs Encoding cs Encryption vs Obfuscation](https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/)\n\n\n### Invalidating JWT\n\n* [Strategies to invalidate jwt - SO Q\u0026A](https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens)\n\n\u003e * Simply remove the token from the client\n\u003e * Create a token blacklist\n\u003e * Just keep token expiry times short and rotate them often\n\u003e * Contingency Plans : allow the user to change an underlying user lookup ID with their login credentials\n\n\u003e A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.\n\n* [Discussion: Is refreshing an expired JWT token a good strategy?](https://security.stackexchange.com/questions/119371/is-refreshing-an-expired-jwt-token-a-good-strategy)\n\n## Securtity Risks\n\n* [JWT attack - signature as MAC](https://snikt.net/blog/2019/05/16/jwt-signature-vs-mac-attacks/)\n* [Recreating JWT validation bypass](https://insomniasec.com/cdn-assets/Insomnia_Security_-_JWT_Validation_Bypass_in_Auth0_Authentication_API.pdf)\n* [3 JWT design flaws](https://rodarmer.squarespace.com/security-blog/2019/7/21/jwt-security-vulnerabilities)\n\n\n## Implementations(Examples/Demos)\n\n* [Demo: How Docusign APIs auth workflow using JWT access token and refresh tokens](https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-jsonwebtoken)\n* [JWT Authentication \u0026 Authorization in NodeJs/Express \u0026 MongoDB REST APIs(2019)](https://medium.com/swlh/jwt-authentication-authorization-in-nodejs-express-mongodb-rest-apis-2019-ad14ec818122)\n* [JWT+Passport](https://medium.com/front-end-weekly/learn-using-jwt-with-passport-authentication-9761539c4314)\n* [JWT+Passport : Code](https://gist.github.com/ArVan/a8eb2bff9e453a1850d17dd3af1d0bea#file-app-js)\n* [JWT+Passport : Guide on DO](https://www.digitalocean.com/community/tutorials/api-authentication-with-json-web-tokensjwt-and-passport)\n* [Passport-jwt](https://github.com/mikenicholson/passport-jwt)\n* [Refreshing token using node-jsonwebtoken](https://gist.github.com/ziluvatar/a3feb505c4c0ec37059054537b38fc48)\n\n## Other Useful Tools\n\n* [Encode or Decode JWTs](https://www.jsonwebtoken.io/)\n","funding_links":[],"categories":["TypeScript","Useful Tools"],"sub_categories":["Invalidating JWT"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgitcommitshow%2Fauth-jwt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgitcommitshow%2Fauth-jwt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgitcommitshow%2Fauth-jwt/lists"}