0

First time learning about JWTs...

I have a NodeJS/Express/Angular 2 application integrated with Auth0 Facebook login.

I'm currently storing the user profile details in localStorage and am aware that this can be edited through the dev console.

I want users to be able to make a certain post regardless of whether they've logged in or not (and associate their user account with the resulting entity in the database when they have logged in). However, I would like to verify that they haven't altered the localStorage object in any way, perhaps in an attempt to impersonate another user etc.

Is one route capable of handling this or should I split it out into two separate routes for authenticated users/guests and exclude the guest one from JWT checks?

Any general advice around this topic appreciated too

Matt Durkin
  • 267
  • 1
  • 3
  • 9

1 Answers1

1

You should have two types of routes. The ones that can be accessed when authenticated and the other ones without any form of authentication. This is pretty much the only way you should do it.

Besides that, you can keep whatever you want in localStorage. The JWTs are signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA. If one copies it from the localStorage and sends it to another one, that is not your problem.

Starmetal
  • 740
  • 6
  • 14