Is JWT really safe to use in iOS Swift apps? [duplicate]

Question

I am developing an iOS application which requires users to be able to sign in, register an account and log out.

In the app, when logged in, they can do a variety of stuff. But that doesn't (really) matter now. I use Node.js as backend and am in the process of sending back a JSON Web Token (JWT) when the credentials are correct. Now I am merely wondering if this is really secure..

I have been looking around on the Internet for the last week for the safest way to build an authentication system based on username and password. I store my passwords using bcrypt in a MySQL database. Matching them works fine, so I can actually log in - but I want to generate a key to allow access afterwards so the user doesn't have to log in on every page he visits.

JWT seemed like a good option, but the more I read about it, the more I am convinced it is not as safe as I want it to be. After all, I don't want someone to retrieve a JSON Web Token, change it to something else, and suddenly have access to someone else's account.

An example of how I use JWT is shown below:

const payload = {
    userName: rows[0].userName
};

var token = jwt.sign(payload, secret, {
    // expiresInMinutes: 1440
});

If I try to decode this, in no time I can retrieve the userName. That can't be safe.

I have researched a lot about this, there are a lot of discussions, but I fail to understand why so many applications use it then. I must be missing something in terms of security or how I can make this a better system to use. If not, are there any other systems I should look into to authenticate my users using username and password and keeping them logged in?

Answer 1

The part that makes the JWT secure is the signature. A JWT contains three parts:

• Header
• Payload
• Signature

Below is a quote from https://jwt.io/introduction/:

To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

The signature is used to verify the message wasn't changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.