Have setup a test server with express, socket.io and a token-based authentication with jwt
On the server-side the tutorial logs the decoded token
console.log(socket.handshake.decoded_token.email, 'connected');
But when I try to log socket.handshake.decoded_token the variable is undefined.. socket.handshake doesn't contain any variables with the decoded token
So.. I tried to google how to decode the token and found this page
https://developers.google.com/wallet/digital/docs/jwtdecoder
I pasted the public token and the script decoded the token without the jwtSecret!? Hmmm... And then I'm thinking.. How can it be secure if the script can decode the token without the secret!?
The public token which is returned to the client as authentication
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6ImNsYXJrIiwiZW1haWwiOiJjbGFya0BlbGVjdHJvYmVhdC5kayIsImlhdCI6MTQwMzczMTkyMSwiZXhwIjoxNDAzNzM1NTIxfQ.mVFymk6gKBPmcVObB_3ydqbJTlcv4eVNYBcahsjg0g8
解决方案
The token is not encrypted, just encoded.
The signature, built with your secret, is the important bit and ensures that the token hasn't been tampered with.