This project is insecure, you can set a random jwt token and still get access to the dashboard

[ar065]

No description provided.

[kosvrouvas]

Can you elaborate a bit?

[ar065]

local Storage.setItem("jwtToken", <jwt token>);
I used the token from the jwt.io debugger since it was the easiest to find, after setting that value in local storage you log in automatically, and the jwt token is never checked against the database

[kosvrouvas]

woah, you are right. We need to disclose this properly. @rishipr

[Hartaj-Singh-Dev]

Hey I would like to work on it ,
can you please elaborate it more

[danielzting]

Looks like it's because client/src/App.js uses jwt_decode which explicitly does not validate the signature. It should instead pass the JWT to a server-side API endpoint that checks the token with the secret in config/keys.js. (Speaking of security, personally I wouldn't have my secrets checked into version control either...)

[Alchem1Krypt]

Yeah, the problem is that the token is not verified on the server side which makes any token work on the client side.
so there should be an HTTP endpoint that does token validation and the private pages must be reachable only if the token is valid.