Can I verify the token on another server?

[dalbodeule]

I ran into a problem while creating a project. After implementing Discord OAuth in Nuxt, the Token coming from it had to be verified in another backend, which became a bit complicated.

I don't recommend this, but I think I have to use this method due to my project structure. If so,

1. Is it possible to do it using a general JWT library?
2. Can I verify it with SESSION_PASSWORD?
3. What algorithm should I use?

I want to know about

[PGLongo]

@dalbodeule, if you are interested, I have implemented a basic (really basic) JWT in this PR: https://github.com/Atinux/nuxt-auth-utils/pull/17. You can find the logic to obtain the tokens there. You will also see how to add the tokens to the headers or refresh the token.

[dalbodeule]

I checked. But I don't know. In the end, I decided to create a Session on the server and then verify it in this project. But thanks for your help.

[sneakylenny]

What I did with @sidebase/nuxt-auth was reverse engineer the way they encrypt the cookie. As I'm currently migrating the authentication to this package meant that I needed to do the same. This package makes use of h3's sessions. "h3" is the server Nitro (and thus Nuxt 3) is built upon. h3 encrypts their session data using using this "seal" method which makes clear they use the iron method popularized by Hapi.

So there you have it. If you want to encrypt/decrypt, seal/unseal the data on a server (and validating the cookie in the process) you'd have to use the iron method to do so.

You could write all the logic yourself like pi0 did in h3, but here are some packages that can do it for you:

JS:

• Iron webcrypto: https://www.npmjs.com/package/iron-webcrypto
• Hapi iron: https://www.npmjs.com/package/@hapi/iron

PHP:

• iron-crypto-php: https://github.com/shawm11/iron-crypto-php

This way you require the same password used in the frontend to seal the data on your server. You could also store the jwt in the cookie and validate it seperately on the server too.