After a successfull login, my node application returns a JWT token.
The JWT is signed with user ID, expiration date and secret.
Here is how I would generate a token for the user with id: 1:
return jwt.sign({
_id: 1,
exp: exp_date),
}, "MY_SECRET");
};
Since my backend application identifies the user from it's token :
Would it be possible for user with "id:1" to edit his valid token, set it with "id:2", and then start fooling around in the back end application as if he was user with "id:2" ?
Not unless someone got access to your private key which you're using to sign the JSON