I'm thinking if the hacker has access to a token (even expired ones) and he tries to decode the signature by looking at verify.js code you have and gets the signature. now he can set a new expiry date the way you did it in sign.js of course it is not possible to set expiry through the package but he can do it with his own code(since I believe, there's no jwt secret involved to encode). Then he can send this token to backend API which in turn gets validated by API(since it will never expire if he's greedy). won't this be a problem? or am I missing something? I think there should be a way to encode and decode messages with a secret. No?
Hello @bytesbay,
First of all, Appreciated your idea and work!
The Issue:
I'm thinking if the hacker has access to a token (even expired ones) and he tries to decode the signature by looking at
verify.js
code you have and gets the signature. now he can set a new expiry date the way you did it insign.js
of course it is not possible to set expiry through the package but he can do it with his own code(since I believe, there's no jwt secret involved to encode). Then he can send this token to backend API which in turn gets validated by API(since it will never expire if he's greedy). won't this be a problem? or am I missing something? I think there should be a way to encode and decode messages with a secret. No?@bytesbay thoughts?