0

I am currently making a website for password reset. I use vue-cli, postgresql and postgrest. To secure the exchange of information between my website and the RESTful API I use a jwt that I put in the header of my requests. My problem is that when I make these requests people can find out the jwt from outside.

So is it possible to hide this jwt in the header ? Or are there any other ways to make secure requests between vue and the RESTful API ?

My function using fetch request :

enregsitrerIdent : function(){
                let resquestOptions = {
                    method :"POST",
                    headers:{"Content-Type" : "application/json", "Authorization": this.tokenPostgRESt},
                    body :JSON.stringify({"ident":this.identifiantUrl, "mail":this.mail})
                }
                fetch('http://localhost:3000/view_personnalurl', resquestOptions)
                    .then(response => response.json())
            },

The jwt token visible to everyone :

header of the request

Nydwhal
  • 1
  • Please explain what you use the token for. Does the user has to be authorized to reset his/her password? Or do you use it like API key? – Julius Tuskenis May 03 '21 at 12:45
  • @JuliusTuskenis I use it to authenticate requests for that external users can't have access to the data in my database without having this token. What do you mean by using API key ? – Nydwhal May 03 '21 at 14:50
  • if a token is provided to a user on authentication, then there is no reason to hide it from the user who has the credentials to authenticate. So every client will have the access to the token. On the other hand if you are concerned the token might be read by the 'man in the midle', then use https with valid certificate for your reast API. – Julius Tuskenis May 03 '21 at 18:12
  • @JuliusTuskenis Thanks for your answers, I think that I was using jwt in a bad way because I just used it for that only request with this jwt can be done on my database and not for client authentication. I don't know if I am very clear but I think I am going to search for another solution than jwt which doesn't seem to match with my problem – Nydwhal May 04 '21 at 07:04
  • You are wellcome. My point is you should not have "secret knowledge" in JS client application. It is just an interface to help the user enter data more intuitively. You should not care if requests to your REST server are done from your client app or not (at least this is my oppinion). – Julius Tuskenis May 04 '21 at 07:50
  • The JWT used by PostgREST is signed, not encrypted. It only guarantees that it cannot be tampered with, but everyone can read it. For password reset, maybe an OTP sent by email could be a better option. – Steve Chavez May 05 '21 at 14:03

0 Answers0