Is checking JWT expiration enough to authorize a user?

3
votes

I am learning Angular and see a lot of examples of user authorization through checking if token is expired. For instance, if user has a token AND it is not expired, let him access the protected root. I do not understand, is this shown as a simplified example or is it really the usual practice. Technically, if my token is not expired but signature is invalid, I would still pass an initial stage of authorization and 'get closer' to a protected resource. Do I misunderstand something?

Then, if I also use Django REST JWT in the backend, it allows to verify token on the server side. It means that request should be sent to the server on every action. Isn't it a proper way for authorization or has it got another purpose?

In general, what is the correct way to authorize a user or user's action?

1
angulardjango-rest-frameworkjwtdjango-rest-framework-jwt

1 Answers

0
votes

There's really no way for your client application (Angular App) to verify a JWT, nor should it be able to decode the JWT and check the expiration.

Your Angular App should:

  • Send a request to the API to login
  • Receive a response with a JWT token if the request is successful
  • Send the JWT with every request to the API. Usually this is done by setting the Authorization: Bearer xxxxxxxxxxxxxxx header.
  • The server/API must be the one to authenticate the user, when it receives a request it should check the token for validity.
  • Then, the Angular App should check the response for exceptions, specifically I think it is worth mentioning treating 401 responses correctly.

Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided

The 401 response might return response messages indicating how and why the authentication failed, i.e.

  • The token has expired
  • The signature verification has failed
  • Invalid number of segments