To create a userToken, we need the token payload and the secret key after which it returns the token.
const token = jwt.sign(data, "secretkey");
Instead of hard-coding the word secretKey (or any word) as a secret key, is it a good practice to user password as secret key?
const userToken = jwt.sign(tokenPayload, userPassword);
Mostly the payload consists of user data which we want to get on the client-side:
{
userId: 123,
email: "user@example.com"
image: "example.com/image.png"
}
so my idea behind passing userPassword instead of passing is to create a more secure auth token.
What are your thoughts on this idea and what are the possible down-fall of it?
Maybe I'm wrong but I don't know how this should work.
When you use the user's password to sign the JWT, how can you unsign it later on? How do you know which password you have to take to unsign the token?
CS Student | Software Developer
This is an interesting question. It really depends on what you are using this JWT for and what your expected benefits are. Could you add a bit more detail?
The first thing that comes to mind for me is that JWTs allow you to store data with the token and verify it so that you don't have to look that data up in a database. But using a user's password hash (well, I presume you mean the the hash of their password as you should not be storing the password in plain text) means you need to look up the user record to retrieve that hash and verify the token.
One other side effect that comes to mind is that any user that updates their password will instantly invalidate any JWT signed with the old one. This may sign your user out across all open sessions, which could be a desirable effect, but worth considering.
Gustavo Benedito Costa
Deaf-born, computer science student and language lover
Ah, you invited me to answer this question. I did not follow Hashnode for months. Unfortunately, I am not experienced in Nodejs and Nodejs world (Angular, React and Vue).