|
|
|
|
|
|
by grosbisou
3443 days ago
|
|
|
Curious about the 2. JWTs are signed via a secret key right? Couldn't the backend verify the signature and reject the token. I am pretty confident most JWT implementation does that automatically. The dude just didn't think about that or looked into how JWTs work. Which I believe is even worse :< |
|
|
Whereas the parent poster said "what would happen if I stolen his token" (for example, via XSS). So in that case, it's a legit token in the hands of a bad actor, and the signature would be still be valid as far as the backend could tell.