Fork me on GitHub
#polylith
<
2021-07-11
>
stask05:07:17

Hi, question about JWT use in the clojure-polylith-realworld-example-app Why would anyone want to store the token in the database? Isn’t it only supposed to be generated and returned to the user and then validated in other requests? The payload of the token contains unique user identifier that can be used to fetch the user. What’s the purpose of storing it?

furkan3ayraktar12:07:36

Once user logs in, a JWT is generated and returned back to the client application. The client application includes this token in the Authorization header of the subsequent requests. If you check out the https://github.com/furkan3ayraktar/clojure-polylith-realworld-example-app/blob/e7e213d0fb48c1d97d3e7dbe7d03a7370324adc2/bases/rest-api/src/clojure/realworld/rest_api/middleware.clj#L7 in the rest-api base, you’ll notice that the currently logged in user is found by querying the database with the received token. I cannot say that this is the most secure or the only way of implementing the JWT authentication, but it is a simple way and serves to the demonstration purposes.

stask14:07:38

Yes, i saw it in the code. Just didn’t understand why not to decode the token (using the same clj-jwt library, which also validates the signature) and use :sub claim to query the database by user id

stask14:07:51

That way you don’t need to store the token at all

furkan3ayraktar16:07:10

I didn’t actually pay much attention to that specific part. People are using it as a reference project so it could be nice to fix. Especially for the junior developers who might just copy paste what I wrote. Thanks for pointing out to a better implementation.