馃悰 [Bug] Remove potentially sensitive information from JWT encoded token
Created by: Tirokk
Authored by roschaefer Closed
馃悰 Bugreport
While I'm writing the slides for my lecture I see that JWT documentation warns about putting sensitive data into the token. We put the email of our user there. We never use the email when we decode the token. Let's get rid of it.
Steps to reproduce the behavior
- Get a Json Web Token: http://localhost:4000/
mutation {
login(email: "user@example.org", password: "1234")
}- Copy+paste the token here https://jwt.io/
- See the email in the base64 decoded payload
Expected behavior
E-Mail shouldn't be there.
Additional context
Here is where we decode the token: https://github.com/Human-Connection/Human-Connection/blob/master/backend/src/jwt/decode.js
Here is the JWT documentation: https://jwt.io/introduction/
You also should not store sensitive session data in browser storage due to lack of security.