I'm building a REST API. The API runs a JWT authentication system.
Obviously this means that paths that are secure need a valid JWT token to be passed along with the request in the Authorization Header. Inside each jwt token I have:
sub: 1 //_id
Where sub is the Id of the currently authenticated user.
My question is, when I pass this token, is there a need to pass the user id in the request body also? For instance, I have a create premises method. This requires a post body to contain a name and description like so:
{
name: "Test Premises",
description: "Lorem Ipsum"
}
In this case, the API would have to find the user to associate the new premises by verifying the token passed is valid, then unencoding it and retrieving the sub field.
Is this method ok?
are there any drawbacks?
should I be passing Id's in the body aswell?
is this method ok
Yes, that's the point of the authentication token.
should I be passing Id's in the body aswell?
You have a really big security hole if you allow the user ID to be sent from the client e.g. another authenticated user could create premises on behalf of another user if they knew (or spoofed) their ID.