Search code examples
node.jsapijwttokenrefresh

secured API with a JWT

I am currently learning how JWT is working and I am making an API with. I've made a middleware function so for each call to a secured route, the middleware is called and analyze the accessToken. I pass the token in the header of HTTP request in the field authorization, but here is my question :

  • is anybody can look at the access token in the header of a HTTP request ? because if it's the case this is really not secure no? anybody can look the accessToken of his friend and make api request with ?

  • I already make a refresh function to get a new access token when it expires, but my /refreshroute is without middleware because the accessToken is expired when we call the refreshroute. So the /refreshroute is also not secure and it returns a new accessToken ....

please help me I really want to learn how it works...

Solution

  • It depends on the type of connection you are sending the request using:

    • If the request is sent using an SSL encryption (ie HTTPS), then you probably won't have to worry about anyone looking at the headers, as the strong encryption will not allow anyone else to look at the request except the recipient(server).
    • However, if there is no SSL encryption, then the payload sent to the server is exposed and open for prying eyes and vulnerable to MITM attacks.