Spenhouet
commented
5 years ago @fedebabrauskas You should read up on what a JWT is used for and why it is used for authentication.
In short: The JWT is server generated and only the server can decrypt it. This token then can be given out to any client and that client can use the JWT as authentication to your application. Every time a user sends in a JWT, the server can verify if the JWT is valid (the server can decrypt it and whats in it makes sense) and get the user data from there. Since only the server knows the key, a valid JWT should mean (in the general case) that the request comes from a valid user.
If the client side can create the JWT than there is no point in using JWT in the first place.
In my experience, if you use jwt based auth, you sign the logged user info in a token, then you pass it to the client, and you decode/decrypt it to get that user info. In this project, the client checks for the stored token in the localStorage, and then pulls the logged user info from an api route instead of decoding it from the stored token.. What is the advantage of doing this?