Node js, JWT token and logic behind

Question

I\'m using the JWT to protect node js urls https://github.com/auth0/express-jwt

To create a JWT token user session i simply do:

-> auth/signup
            


        

Answer 1

2 - do i have to verify() the token everytime a protected url is called? if yes why?

Yes. But "verify" is a little confusing term.

1. When client calls /authenticate, server first validates user credentials against database to make this user authenticated. And this "expensive" operation performed only once for whole token life. Then, server prepares JSON object, holding useful user info, and encrypts it to get JWT token.
2. This token sent only once to client, stored in a browser, and then sent back to server on every client request to /api.
3. During processing client /api request, server must "verify" token for validity (JWT does it for you). But this does not mean to check user credentials against database again. Only just decrypting token to get JSON object back, HMAC-SHA256 verification – quite fast.
4. Having JSON object with useful user info (claims), server can allow or not this specific user to access requested resource under /api route.

During token verification, no database check of user credentials is needed, because server have to trust received and verified (successfully decrypted) token. No server sessions storage is required to identify user.

You can think of JWT tokens like a simple session info, stored on client in an encrypted form. But if you need to cache more data in a user session info, I think, you still need some sort of sessions storage on a server, rendering JWT idea to almost useless compared to traditional Session ID in cookies.