I don't know which library for JWTs are you using in Angular, but I think all of them are capable of verifying signatures, so that shouldn't be a problem. You just have to remember to use asymmetric signing, so that the Angular app only keeps the public key. a malicious code running in the browser), then you can use JWS to ensure the integrity of the response. If you're concerned that your response will get modified after HTTPS is terminated (e.g. If you connect to your API using HTTPS, then you're sure that no one modified the response, nor read it. ![]() If you're concerned about a Man-in-the-middle attack, so that someone will modify the response from your server, then all you need is an HTTPS connection. My concern is, if an attacker intercepts my response and modifies the token, How do I tackle that situation? I achieved the decoding part using jwt-decode without the secret. If you put a secret in your Angular app, then anyone will be able to read that secret and use it to decrypt your JWEs, or forge new JWSs, if you're using symmetric signing (e.g. Anyone can read the content of the JWT, they just can't modify it.Īlso remember that an Angular app has all of its code available to users, which means it can't hold any secrets. Using the signature you can verify that the JWT hasn't been changed by an attacker, but they are plain-text. In fact, when people use the term JWT, they usually mean JWS. You need a really strong reason to be using JWEs. Encryption is hard to configure and manage, though, so JWEs are not used very often. The latter has the content encrypted, so no one can read it unless they have the key for decryption. There are two types of JWTs - JWS (signed JWTs) and JWE (encrypted JWTs). ![]() I don't want it in plain text, So I was thinking I would create a JWT Token and send it in response and decode it in frontend using the secret key.Ī JWT token is usually plain-text. I tried the tsconfig.json files configuration solution but I couldn't make it work because I use it in the jsconfig.json project, I tried to use tsconfig.json I used the 'tsconfig-paths' package and got no result. I can be wrong about the cypress open script not running component tests correctly but I'm looking for a solution to the big problem that is these absolute folders. I tried several alternatives and this was the one that worked the best because when I run the 'cypress open' script cypress executes 'file:preprocessor' it applies the webpack settings and if I try to import a component using '~/component/InputDate' it works, however 'cypress open' is for E2E tests, I can't run unit tests through this script. The project is already ready and I have absolute folders configuration, when I import a component from '~/components' I am accessing 'src/components', I am not able to make the proper settings to be able to access the absolute folders because when I run the cypress open script -ct doesn't seem to run 'file:preprocessor', where you need to run it to run the webpack where you have the absolute folder settings. Install and configure all Cypress correctly, configure Cypress in the 'cypress open' script to open E2E related tests and configure the 'cypress open-ct' script for component tests, all settings work very well. The goal is to use Cypress for component testing and e2e testing mainly.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |