Login request with JWT response

1
votes

I have a request '/login' which basically validates the USERNAME and PASSWORD and further on success, return token (JWT).

Now the question is my API is also returning USERNAME and PASSWORD in response with token. Is it the right way or should I remove USERNAME and PASSWORD from response.

REQUEST JSON

{
"USERNAME": "admin",
"PASSWORD": "123456"
}

Response

{
    "token": "eyJhbGciOiJIUzUxMiJ9.eyJleHAiOjE1NTk1NTM4NjcsInVzZXJMb2dpbklkIjoiYWRtaW4ifQ.fxaENKTXxPG5wl8hp7_cSORfMzI38ODu_HgNRj3c7UZwohiFNFfZVpou8MYU4kkxEXV87-LP3upctjGCpGV6_Q",
    "PASSWORD": "123456",
    "USERNAME": "admin"
}
3
javanode.jsjwt
Yes, you should use users data only for getting tokenekiryuhin
Hi @Lalit Dashora, can you update how you fixed it or accept and answer?Brother
Hi @Brother, I didn't get the exact answer from the community but for now, I have removed username and password from the response. For now, Agreed with your answer.Lalit Dashora

3 Answers

1
votes

I can't add a comment on the Brother's answer so I'll share my thoughts here.

As Brother said, you should not expose the password, or any sensitive informations if it's not needed. If you want to know which user the token is referencing to, you can put a UUID inside, which is a non-linear string identifier for your user. Many databases handle this type of identifiers as primary keys. You should also encrypt the password with libs like bcrypt.

0
votes

For security reasons, you should definitely remove the password from the response. I don't see why would you want it there. Even the username as well, if you need any information, it should be inside the token itself.

Another good approach is, having a refreshToken together, so in case of token expire, you can use the refreshToken to get a new one, without asking the user to login again.

Also, avoid in the JWT to contain sensitive information, like email, password, full name, etc ...

As anyone can get it and post in the page: https://jwt.io/ to retrieve what is inside.

0
votes

As other people have stated here, your application should not be aware of the password or saving it in any kind of state (memory, database ...) but rather hashing it.