JWT decode vs verify - Understanding which to use for token verification

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys and welcome to my youtube channel in this short video i'll be explaining the difference between jwt.verify and jwt.decode of course this is something you'd find in the documentation but i find people using this wrongly in their application so i'm going to explain that so firstly let me create a token and i have this secret here and inside token the only payload i'll be having is an email delion gmail.com so let me log this and over here i'll just run it with node and this is the token here i'm going to copy this and back here i'm just going to replace this with the token now as just as we know jwts let me zoom out so we can see everything i'm going to zoom in back in few seconds so just as we know jwt in tokens we have three sections we have the first section before the full stop the second section before the full stop and the third section this first section is the header this second section is a payload and this third section is the signature now going back to jwt dots that's decoded okay i'm going to do it like this we have jwt dot decode and you put the token here this is only going to decode the payload which is the um the section at the middle it does not check if the key is valid or if the key is invalid and we can check that by logging decoded node index.js and you can see i have decoded email to learn gmail.com and then other payload properties provided by jw now for example if this if a user logs into an application and in your source code you are only verifying that user if the user is authenticated using the decoded method your site becomes vulnerable to hackers because you are not making use of the secrets and this way they can use any user's password or their own ungenerated passwords and have access to resources that are supposed to be private but on the other hand when you use verify you use jwt.verify you don't only pass the token but you pass a second argument which is the secret and i can log this to so if the user if this token is verified we'll get the payload properties and if it is not verified we get an error so for now since the secret is still intact let's see what we get so i run this again and then i have decoded to be this and i have verified to be this but say i go back now and i change these secrets to something else going back here see there is an error which is the invalid signature the verify method does not only decrypt the payload but it also makes use of the header the payload and most importantly the signature which was generated using the secret so like i said i find this in applications where people are trying to um verify if a user is authenticated using the decode method but the decode method only breaks down the payload what you're supposed to be using is a verify method so if you find this video helpful kindly like kindly subscribe and then kindly share

Info

Channel: Dillion Megida

Views: 587

Rating: undefined out of 5

Keywords:

Id: vgocTvahk18

Channel Id: undefined

Length: 3min 47sec (227 seconds)

Published: Sun Jun 13 2021