I am using Passport-local on Node.js (saving user info in Mongodb) and Angular.js as the client. The process is easy. However here are 3 security concerns:
When I do the login on the client, a json file with user and real password are sent to the server.
After I login, the token will be saved in the Web Explorer's local storage, which can be seen, copied and used in future.
The salt processed jwt token are saved with the username in Mongodb Users Collection, which can be seen and move to another server (so that we can use the same username and password from another server to log in and get a new token)
Would anyone like to discuss further about these? Any ideas on how to solve them, and reduce the risk of the website? How about using https?
There is no need to store token in your user schema if you just want to verify your token on other server instances as well. Because, jwt.verify() gives you the functionality to check if the token is valid or not . And if the token valid then you get user info in return which you have used at time of token creation. If you find that user in your database then your token is ok with valid user, otherwise not.
Main thing when creating token is, set expiresIn according to your server demands, so that even if your API security is compromised, it wont be available for long time