I'm using json web tokens for my app.
When i login to my site and want to see who is the user logged in, i have a previously stored token with all the needed data in it encoded in HS256.
Should i use this token payload to show "Hello ..." and the user name which is inside the payload, or should i decode the token server side and retrieve the user data from there?
Is there any client-side library to decode HS256 for me to use? Or is it bad practice and should be avoided.
JWT is self-contained and is protected with a digital signature. You can perfectly use the information contained in the token, but you should validate the expiration time and to ensure that digital signature has not been altered.
To verify the signature on the client side you need the key was asymmetrical and use the public key to verify. May be send the token to server save you problems. Depends on the operation could take the risk, as long as the token is used for autenthication on the server and it performs the validation
Is there any client-side library to decode HS256 for me to use? Or is it bad practice and should be avoided.
In fact, you do not need any library. The payload is base64 url encoded, and can be easily decoded in any programming language. You would need a library to verify digital signature. Take a look at jwt.io