jwt.io says Signature Verified even when key is not provided
I signed a jwt in nodejs with the below snipet.
var jwtoken = jwt.sign({ email: '[email protected]', name: 'test' }, 'abcd');
I got the below token after signing
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3RAdGVzdC5jb20iLCJuYW1lIjoidGVzdCIsImlhdCI6MTYzNjE4MjYwOX0.07FXjm1lKEIiU_QOMEEOFzhsC0vtKt4PFoW-7YHHzyM
I wanted to verify this with jwt.io when I paste the JWT in jwt.io, I can see the the site says the "Signature Verified" for whatever key I provide(I dont need to provide abcd which is my actual key). I was expecting that the key would be required to determine if a signature is valid. How does the jwt.io determine if a jwt is valid without the original key.
The https://jwt.io debugger works in both directions, you can inspect and verify tokens or create and sign tokens.
Esp. when you have a token signed with a symmetric algorithm (i.e. HS256, HS384, or HS512), you can easily get a false verification because there's only one key for signing and verifying the token.
When you first paste your token on the left side and then paste the secret or key into the field under 'verify signature' in the right column, the signature will be recreated and it might change if the secret is not the one that was used to create the original token. In this case, the result is always 'signature verified', because the signature was just calculated based on the entered secret.
The correct way to verify a signature is to first paste the key into the secret key field and then paste the token to the left part of the debugger. Always make sure, that any other content in the input fields is overwritten. If your key is actually Base64 encoded (i.e. a binary secret that is stored in Base64 encoded form), you should tell jwt.io by checking the "secret base64 encoded" checkbox.
Then the result, either 'signature' verified' or 'invalid signature', will be correct.
Every secret that you enter after that causes a recalculation of the signature and then it's always verified (with the new secret). Also clicking on the "secret bas64 encoded" checkbox causes recalculation.
But if you do it in the right order, a wrong secret causes an "invalid signature" result:
- How to add Title in video by ffmpeg on Node JS
- How can I pass custom data to Stripe webhook?
- Mongoose Activity model with dynamic reference
- What approach to take when making a webpage with contact form and using parcel.js 2 bundler
- Client request fails with 502 after 2 minutes
- Mongoose Unique index not working!
- Error : create-react-app Aborting installation
- adding .css file to ejs
- Error: Accessing non-existent property. Module exports in circular dependency
- Iron.seal does not work when user log in
- Meteor GoogleMaps.load() not working on iOS with Iron
- Npm package whatsapp-web.js broke
- error column cannot be null, trying to upload file into sql
- How to encrypt decrypt with Node.js crypto module?
- Deleting `package-lock.json` to Resolve Conflicts quickly
- Time difference function giving negative value
- use helper of handlebars-express in view
- Why my form validation while logging in is not working?
- Get interaction's reponse message object discord.js
- PHP / Apache / Node / Puppeteer - Error: Failed to launch the browser process
- Run of a next js app stuck, npm run dev doesn't work
- how to rate limit next.js server actions?
- AppwriteException: User (role: guest) missing scope (account), not able to get account after creating a session
- Fixing npm path in Windows 8 and 10
- Property 'id' does not exist on type 'User' with Passport and Typescript
- MongoDB .deleteOne not working in Node.js
- Webpack for back-end?
- Open a TCP/IP connection via socket with a label printer
- Why does "npm install" rewrite package-lock.json?
- permission problem with opennms running a nodejs script in notification