JWT support

Xiph

Being able to use JWTs instead of sessions would be nice.

It'd probably also be faster than storing sessions in Redis (whether it is your primary datastore or you use it with MongoDB to speed sessions up), since it's just a quick HMAC and no extra round-trips are involved.

Plus since it doesn't rely on cookies no CSRF should be possible, so no CSRF Tokens are necessary.
And you get to save a minimal amount of bandwidth by only adding it to the requests that actually need auth ^_^

PitaJ

Here is the website

JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).

Interesting. Although I don't know if it's worth it.

julian

@Xiph @pitaj A bit late to the party, but a client of ours requested JSON Web Token support for the write API, so that is included now, as of v3.1.0

drew

@Xiph said:

Being able to use JWTs instead of sessions would be nice.

I'd recommend using both, but jah, JWT is the future

drew

Although if someone's forum is not HTTPS, then man in the middle still makes it all pointless

If you're running NodeBB and you worry about XSS or session hijacking then before you do anything, get an SSL certificate and set up a reverse proxy with nginx to serve the forum.

julian

How would JWT work as a session anyway?

drew

@julian I meant use session validation and JWT validation

julian

Ah, I've played around with that too... with a properly decoded JWT, you could theoretically just call req.login and log in the user.

But that's implciitly trusting the token itself, so if your secret ever got out, then all accounts are essentially compromised