I didn't even searched for something like this, just thought of it...

KZbin algorithm at its finest

Universe at work.

Real

You mean this channel uploaded the video right after you were searching for it in google?

This one looked sponsored. But who cares, Jeff explained me JWT in 100 seconds which I had been struggling to understand since a few months now.

I 100% agree with this

This guy doesn’t know shit.

45 likes and no replies in 3 years? I'll fix that

Knowledge is a hell of a drug

yes you're goddamn right

Absolutely true. It's the same for me too🔥

Me too

SQL injection

This i what i’m trying to figure out. If you store the jwt in a cookie/http only cookie. Is it still considered as token based auth? Or it is now cookie based auth?, Also if you indeed store the jwt in the cookie, how can you attach the jwt on the header as bearer token in your request?

@@zedshockblade7157 cookies are sent automagically to any requests made to the specific server in which they were created, so you don’t need to include them in the headers manually

​@@zedshockblade7157 those are 2 separate things. Manually adding the SECRET (let's call it that, for now) to the Authorization header on every request versus storing it and as a cookie (and letting the browser automatically add the cookie header on every request) will achieve the very same goal. Now, there's the SECRET type. A "session" is a token you generate and store in memory or disk storage. You have to check the user sent SECRET through a list of valid sessions every request. The "token" is signed using a hashing algorithm, so you can mathematically prove you are the one who created the token (and not someone else). That way, you don't have to go through a list, you just trust it. One con of the that last approach is that you can't revoke a token (by removing it from the valid tokens list). That feature can be important in some systems (e.g. revoke every user session when he changes the password).

@@igor9silvaThis is the correct answer. How you transfer the data (cookie or header) is not really important for how the validation works. Also really good tip about revoking access control👍

​@@igor9silvacouldn't you just use a UUID for every device for this method? So you concat and hash user id, username and the device uuid, if that token doesn't match one stored on the server then access denied...

Your juniors can get the info here. Give them a bit more than 2 minutes. They will appreciate it.

Thank you. Good idea, I want to cover more DBs in this format.

@@edwardsmale3977 Redis is just a key value store which makes it extemely fast. Adding/reading/removing data works basically like the local/session storage in a browser. It’s mostly used for storing session or caching data.

With serverside sessions, its common to shove that data it into some external memory storage like redis. It frees up load on your database, plus that data doesn't need to be persistent anyways. And it keeps your api servers or w.e stateless, makes it easier to autoscale stuff while it sits behind a load balancer.

​@@Fireship hello there, do make RUST in 100 seconds and React state management in 100 seconds

@@Fireship At 1:40, what does it mean that web tokens "can't be used to authenticate a user in the background on the server"?

kzbin.info/www/bejne/anyrmoaqZdR_gJI

I don't think JWTs are that complicated. It's all handled with standardized libraries that make it quick and pain-free

@Jack Lusher Sessions for the win!

can you provide more details ?

​@@mikemartin6748What library handles the refresh process in a pain-free way? Except for full-blown backend services like Supabase. And then you still have the problem that you can't invalidate a token instantly when your account was hacked and you need to change your password.

Unless you develop your server in Assembly or have a compulsory need to reinvent the wheel by writing your own code for everything, this isn't true.

Interesting, I permit both so I don't need to make a frontend and backend api, feels like it just needlessly complicates things, couldn't find any articles about pros and cons of doing this? Is there any benefit, if so I'd be greatful if someone can let me know

If this is ur only problem 😂

No. If you make the token expire quickly, then the user has to log in way more frequently. A token is created when a user logs in with lets say a username and password. If that token is set to last for 30 mins, then during that 30 mins, if the user logs out, he doesn't have to enter his username and password to log in, he would enter the website automatically. But once 30 mins has passed and the user closes the website, the token will expire and he would have to put the username and password again to enter the website and create another token that would last another 30mins. The longer the token time, the less frequently the user has to log in with his username and password. And there is actually no need to fear hackers lmao(I can explain why if you want to know but JWT's are virtually impossible to hack). The only way is if the hacker steals the device of the user and the jwt has not expired yet, the hacker can just login freely, which just makes him a thief, lol. The responsibility of keeping the device safe falls on the user, not the web server(your server) but yeah you could make the jwt expiry time very short but I dont think its worth it

@@LilmeMusic Ideally it would fall on the user but users are fucking stupid lmao

@@LilmeMusic That's why he mentioned the refresh token. If the auth token expires, the refresh token is used to get a new one. The refresh token will be valid for way longer than the auth token.

@@buddh4r isnt that just passing the problem to refresh token? Someone can hijack refresh token and keep making auth tokens

@ The refresh token should only be sent when required so e.g. when using cookies, set a path in order to only include the cookie in the refresh request, you can also invalidate refresh tokens once they are used and create a new one (this may requires some server state). But yes generally if the refresh cookie is stolen its bad, but its the same (or less) risk as using session cookies which are not invalidated (at least not very often when using long sessions) and send with every request.

Sounds very bloated more like. You'd get the negative parts of both without the positive parts of either (not that JWT has any positive parts in the first place, though).

@@Mankepanke "Not that JWT has any positive parts in the first place" then why oh why are people using it enough for it to be one out of the two standards for web authentication? Why, Magnus Bergmark, why? People will really fanboy over the tiniest things.

@@uwirl4338 Mostly because of it's simplicity. I'd concur that security wise, well implemented sessions are most likely more secure than well implemented JWT, but JWTs are easier to quickly add to any codebase, especially with the popularity of "serverless" nowadays, I think

@@uwirl4338 .... When you are in a argument never ever attempt to bring up that just because people uses a technology means that is good... Also, the amount of people using it doesn't relate to why it is a standard...

@@LuminousWhispers11 has anyone asked for a life advise here though?.. don't think so )

To me, using http only cookies is the better option. Not only are they automatically attached to every request, but they can’t be stolen with an XSS attack unlike using localstorage.

JWT's dont hit the database, no need to waste your time. We store nothing on our servers and database, if we did there would be no point, we would just go back to sessions. JWT's are secure enough, dont worry

It’s not solving the problem in general but it makes it harder to exploit. So definitely a way to go. The safest approach using JWTs is to store/send them as httpOnly + SameSite cookies while using the accesss/refresh token approach.

@@daheck81 Hmm I'm sending the jwt as a response and save it to localstorage but use httpOnly + SameSite cookies for the refreshToken. Is that an ok approach?

@@rumble1925 Yes, that’s actually how I'm using it most of the time as well. As long as you keep the expiry time of your access token low (< 15 mins) this is safe enough.

@@daheck81 nice, thanks :)

An the icons are more "hd"

Are you internet explorer or what

And much better

This is getting very weird

Woah, how does this have 41 likes?!?

you can also store whatever user data you want inside the JWT, which is handy and saves on traffic

That’s why I am storing my JWTIDs such that if the user changes password or if I want to revoke his session(s), then I can. Without storing the JWTIDs I wouldn’t be able to manually revoke his tokens without waiting for the expiry time of each of his tokens. The con is that I have to query the database for every API request. Oh well, nothing is perfect lol, but this works for my company’s app

If someone is able to steal the token, they would be able to do as many requests they wanted pretending to be that person, that's why it's important put a short expiration time the tokens and use refresh to keep them logged for longer time

@@MF-ty2xn how can access token be easily stolen but not refresh tokens ?

@@shashikanthp3145 Tokens are sent everytime to the server on the moment to get resources to verify user identity, refresh tokens however would just be exchanged with the auth server to refresh the token when necessary this make it less risky for the refresh token to persist for long time

what about storing some info in the JWT claims section? Is it a good idea?

​@@ggar493 You could, such as the hashed password and when a token is reported to be stolen etc change the users password and then hashed password in token wont match hashed password when you check it. However, whatever you put in the token you have to check on every request, the same as storing it in the DB with a "valid" column. The DB approach is simple and more likely for devs to understand. Also, the info in a token would have to be sensitive to the user somehow, then you're sending sensitive info around the net, encrypted or not it should be avoided, as this is a primary reason for tokens - authenticate with sensitive data once then use the token.

You can do both with Firebase, but it defaults to token-based

@@Fireship How would we know if it's token or session?

Thank you :D

I think the server only has one private key, but honestly I have no fucking clue.

The idea is that you have one key pair for all of your tokens that you might want to swap relatively frequently. Anyone could then validate the generated tokens but only the server could generate them. With purely stateless tokens the server would only need to check if the signature matches (but you might want to store revoked tokens in a database to handle revoking access) and then authenticate whatever user is specified in the token itself. The server doesn't need to keep track of all the sessions and only has to validate if the signature is valid or not. You should never use symmetric encryption in that use case.

Sure, but if you're going to use cookies, then you don't really need JWT tokens.

@@fred.flintstone4099 well if you want stateless auth you still need some sort of token, since we need to somehow verify that token is valid

Imagine a logged in user wants to save a post. They send you the post's text and the authentication data, for a session, that'd be a session ID. To save the post you need the user's ID, so you query the DB for "Which user does this seesion belong to?" and then you are able to create the post with the ID. With a JWT, you just verify the signature and decode it. The JWT already contains the user's ID, so you can immediately use it to save the post. You only need to hit the database for user info when their id isn't enough, e.g. getting the username. But it's still slightly faster than a session, because that'd envolve a JOIN

they are created on the server and and sent to the client, then the client stores them in local storage and the server in db etc.

Thank you !

lso, passport-local is just a local strategy that uses username and password(or generally any two fields you wish, really), you can implement it in any way you wish, like using JWT instead of sessions for example.