Angular and JWT - how does client verify token?

Question

If I were to provide a fake JWT, I realized Angular would "accept it" as logged in as most tutorials just check if a JWT key is set in localStorage (and if it's not expired.)

Is there something I'm missing about using JWT? I feel the client needs to check to check if the token actually came from the server. Consider this scenario:

User goes to route /#/admin with fake JWT that looks something like: {'username': 'hacker', 'role': 'admin'}. Now the user sends a token to the server, which checks signature (& expiration), since the secret signing key is wrong, the user receives a 401/403 response from the (API) server, and the client hangs (blank screen with toolbar) as no valid response came from server.

Is this "safe" or "okay" that a user can bypass my Guard with a fake JWT since they cannot get any data from server anyways?

score 3 · Accepted Answer · answered Jun 30 '17 at 15:32

3

It's in fact normal.

If the user's token gets rejected by the server you should log him out.

Even though he can pass the guard, he will never have any data from your admin panel as the server should reject every single request due to invalid JWT. So you should not worry.

answered Jun 30 '17 at 15:32

Ploppy

14,810
6
41
58

The "logout on rejection" is what I was conceptually missing. Now that the user is logged out on rejection, the user was successfully kicked off the client :) – Moshe Jun 30 '17 at 15:35
Yes! Don't forget to accept the answer if it fits you. – Ploppy Jun 30 '17 at 15:36
Oh sorry, my bad :D – Ploppy Jun 30 '17 at 15:39

Angular and JWT - how does client verify token?

1 Answers1