Thanks for the theory part. All the tutorials out there start directly with the implementation leaving me clueless. The brief theory helped me get a hang of the concept.
Great. Your explanation style is so wholesome. I don’t know if there would be a market for coding podcasts, but I sometimes listen to your content without video even while on move and still learn a lot. Thanks.
Hey Zach! I read your medium article for passport-local. So, I just wanted to say thank you for your detailed analysis of passport. Extremely well written and helpful. Thanks!
Just some advice: store your JWT in a HTTP-only cookie when using 3rd party code in your frontend. LocalStorage can be accessed by 3rd party code easily.
@@zachgoll Yes, the common recommendation is that you should use local-storage. If you want to build something secure, this recommendation is wrong. Actually the simple session-based authentication is much more secure than the JWT based one. The problem is described in the following talk: th-cam.com/video/JdGOb7AxUo0/w-d-xo.html It changes nothing on the fact, that the tutorials, you created about this topic, are simply the best. You may be asked by your company to make JWT authentication for their API. The way you should accomplish it is laid down by you. Should you do it at all? Perhaps not, but if you are asked specifically that, it's hard to say no and explain them why it is insecure. It's simpler just to do it.
7:57 I read somewhere that you should only store JWTs in an HttpOnly cookie, a type of cookie that is only sent in HTTP requests to the server. This is because if it's in, say, localStorage, it could potentially be collected by a compromised third party script running in the browser.
Yes, that is a more secure way to do it. What I’ve learned about auth is that it’s all about compromises. In this case, we’re calling an API from an SPA, which requires a scheme called “Basic Auth with Pkce” (auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-proof-key-for-code-exchange-pkce) which in our case, is the “best we can do” and is pretty darn secure. If you are able to do auth server side in a cookie, that is recommended. But we can’t do that here so we’re using the best scheme we’ve got available to us.
Question: JWTs and Sessions have the same kind of vulnerability which if a bad actor steals the JWT or the sessionId they can pretend to be the user right? So in that respect the sessionId is as vulnerable as a JWT right? Thank you for the videos, they are a light that brings confidence in the confusing and hostile path that is rolling your own auth
Hi Zach, I've been reading through your article on JWT on Medium and was hoping you could perhaps shed some light on a question I have. I understand the part that RSA-SHA256 is asymmetric and how the private/public keys are mathematically connected, but the private key can't be derived from the public key. However, when it comes to the server decrypting the JWT signature why is it that the server decrypts the signature using the public key, when it also holds the private key? It makes sense to me to use a public key if it was two separate entities carrying out the encryption/decryption, but the server is doing both the encryption and the decryption. Why is a public key even necessary?
Think of it like a neighborhood. Oftentimes, we will give a spare key to a few of our neighbors that we trust so that they can enter our house if they need to while we are gone on vacation or something. We are essentially issuing them a private key. When they come to our front door and use the key, the door (public key) recognizes the private key and lets the neighbor in the house. It's not a perfect example because key's can be duplicated easily, but generally gets the point across. I would review the following two video snippets as well to get some better context. th-cam.com/video/kMpklLgF0PQ/w-d-xo.html th-cam.com/video/ipQrwfKTH_4/w-d-xo.html Asymmetric crypto has two use cases: protecting data, and "digital signatures". We are implementing digital signatures through our JWT here. Since the JWT has the private key within it, we need the public key to decrypt it. By doing this, the server knows that the only place the user could have gotten that JWT was from itself.
I did not include refresh tokens here because that starts getting into the concepts of OAuth protocol. I may make a future video on this, but it would take a while to explain fully I think.
I don't know if Zach will see this, but I've been following along and converting this whole thing to mysql/mariadb. I just wanted to confirm if you were using mongoose to create the user model as opposed to the last series where express-{insert db name}-session seemingly created the table/document? Also, this is a great video series.
So happy that I found this playlist, great stuff! If anybody here is like me and starting to build a Typescript backend with otherwise similar configurations as presented here, I built a starter template for this kind of project, feel free to use it: github.com/tterimaa/express-jwt-authentication-starter-typescript
Sounds like there are better channels out there for you! Many videos here are beginner focused. I’d recommend the Fireship channel. He makes short and awesome videos!
@@zachgoll This Critical Thinker fellow isn't really a critical thinker. Your doing a great job Zach.. Your pace is on point. This guy is just jealous because he couldn't put out a video half as good as yours. I don't get why people try and drag down others simply because they are jealous or just rude. We need more positive vibes and less of shit like this. Peace.
![[Live สด] การออกรางวัลสลากกินแบ่งรัฐบาล งวดวันที่ 16 ธันวาคม 2567](http://i.ytimg.com/vi/dNTiBBthKgQ/mqdefault.jpg)
I really appreciate the way he explains the theory and why's of what he's doing. This guy is an excellent communicator.
Really appreciate the compliment!
This series deserves a billion likes
If this video gets a billion likes, I'll buy everyone in the comments a new car.
@@zachgoll Why is there no "haha 😆" react in TH-cam?
@@zachgoll but then there would also be at least ten million comments! 😂😂
Thanks for the theory part. All the tutorials out there start directly with the implementation leaving me clueless. The brief theory helped me get a hang of the concept.
before you want to say any thing i wanna thank you for doing such an appericiable work
Great. Your explanation style is so wholesome. I don’t know if there would be a market for coding podcasts, but I sometimes listen to your content without video even while on move and still learn a lot. Thanks.
Very interesting idea! Would be fun to do a podcast one day!
one of the best video series i've seen on youtube, thanks for the hard work
Hey Zach! I read your medium article for passport-local. So, I just wanted to say thank you for your detailed analysis of passport. Extremely well written and helpful. Thanks!
Thank you for visiting the channel and the comment 🙏
you are my teacher...RESPECT..........Got a job bcoz of u
That’s so awesome to hear! Congrats!
@@zachgoll Really Thanks Sir. Many can't afford to study in good instutue. And because of great teacher like you many are getting knowledge and job.
Just some advice: store your JWT in a HTTP-only cookie when using 3rd party code in your frontend. LocalStorage can be accessed by 3rd party code easily.
Interesting, had not thought about that!
@@zachgoll Yes, the common recommendation is that you should use local-storage. If you want to build something secure, this recommendation is wrong. Actually the simple session-based authentication is much more secure than the JWT based one. The problem is described in the following talk:
th-cam.com/video/JdGOb7AxUo0/w-d-xo.html
It changes nothing on the fact, that the tutorials, you created about this topic, are simply the best. You may be asked by your company to make JWT authentication for their API. The way you should accomplish it is laid down by you. Should you do it at all? Perhaps not, but if you are asked specifically that, it's hard to say no and explain them why it is insecure. It's simpler just to do it.
If you know the basics on JWT's skip to 10:30ish otherwise a solid video
Please use 1.25x playback speed.
7:57 I read somewhere that you should only store JWTs in an HttpOnly cookie, a type of cookie that is only sent in HTTP requests to the server. This is because if it's in, say, localStorage, it could potentially be collected by a compromised third party script running in the browser.
Yes, that is a more secure way to do it. What I’ve learned about auth is that it’s all about compromises. In this case, we’re calling an API from an SPA, which requires a scheme called “Basic Auth with Pkce” (auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-proof-key-for-code-exchange-pkce) which in our case, is the “best we can do” and is pretty darn secure.
If you are able to do auth server side in a cookie, that is recommended. But we can’t do that here so we’re using the best scheme we’ve got available to us.
Can u please make a video on how we can integrate passport jwt and other rest APIs with our React Native application?
Keep with this gospel, Zach. You are building a great church with that rock.
Question: JWTs and Sessions have the same kind of vulnerability which if a bad actor steals the JWT or the sessionId they can pretend to be the user right? So in that respect the sessionId is as vulnerable as a JWT right?
Thank you for the videos, they are a light that brings confidence in the confusing and hostile path that is rolling your own auth
Thanks, a much updated video on youtube than most ;)
awesome content🔥🔥🔥🔥
what are the disadvantages of just defining a simple random secretOrKey in the .env file?
What is a good place to store the public and private keys
Great work Zach thank you.
hello brother,, what version you are using at this vidio? each dependencies
jsonwebtoken? passport? and passport-jwt?,,, thx
Hi Zach, I've been reading through your article on JWT on Medium and was hoping you could perhaps shed some light on a question I have. I understand the part that RSA-SHA256 is asymmetric and how the private/public keys are mathematically connected, but the private key can't be derived from the public key. However, when it comes to the server decrypting the JWT signature why is it that the server decrypts the signature using the public key, when it also holds the private key? It makes sense to me to use a public key if it was two separate entities carrying out the encryption/decryption, but the server is doing both the encryption and the decryption. Why is a public key even necessary?
Think of it like a neighborhood. Oftentimes, we will give a spare key to a few of our neighbors that we trust so that they can enter our house if they need to while we are gone on vacation or something. We are essentially issuing them a private key. When they come to our front door and use the key, the door (public key) recognizes the private key and lets the neighbor in the house. It's not a perfect example because key's can be duplicated easily, but generally gets the point across.
I would review the following two video snippets as well to get some better context.
th-cam.com/video/kMpklLgF0PQ/w-d-xo.html
th-cam.com/video/ipQrwfKTH_4/w-d-xo.html
Asymmetric crypto has two use cases: protecting data, and "digital signatures". We are implementing digital signatures through our JWT here. Since the JWT has the private key within it, we need the public key to decrypt it. By doing this, the server knows that the only place the user could have gotten that JWT was from itself.
Your a brilliant man, I hope you know that 👌👍🏽💪🏽
Great explanation and examples, thank you. But what about refresh tokens? How to store them, and how to renew automatically the expired JWT?
I did not include refresh tokens here because that starts getting into the concepts of OAuth protocol. I may make a future video on this, but it would take a while to explain fully I think.
how can i intergrate google authenticator to this jwt strategy?
Thanks for sharing! I am wondering if HS256 also works in this JWT case?
Believe it should, but the configuration and setup might be a little bit different as it is a different protocol
Good stuff
informative vid sir! appreciate your efforts.
I don't know if Zach will see this, but I've been following along and converting this whole thing to mysql/mariadb. I just wanted to confirm if you were using mongoose to create the user model as opposed to the last series where express-{insert db name}-session seemingly created the table/document? Also, this is a great video series.
Awesome.
So happy that I found this playlist, great stuff! If anybody here is like me and starting to build a Typescript backend with otherwise similar configurations as presented here, I built a starter template for this kind of project, feel free to use it: github.com/tterimaa/express-jwt-authentication-starter-typescript
Thanks very much!
nice!!! thanks!
love video
So much talk about JWT, and yet you didn't say how to implement JWT.
There is a video earlier in this playlist that goes through all the essentials of JWT - th-cam.com/video/kMpklLgF0PQ/w-d-xo.html
*great content. but I only had to fast forwarded a bit*
Sounds like there are better channels out there for you! Many videos here are beginner focused.
I’d recommend the Fireship channel. He makes short and awesome videos!
@@zachgoll This Critical Thinker fellow isn't really a critical thinker. Your doing a great job Zach.. Your pace is on point. This guy is just jealous because he couldn't put out a video half as good as yours. I don't get why people try and drag down others simply because they are jealous or just rude. We need more positive vibes and less of shit like this. Peace.