Part 121: Enhancing Security with JSON Web Tokens in Next.js

In our ongoing project, we've implemented basic authentication using cookies to store user information. However, storing sensitive data such as user details directly in cookies poses a significant security risk. A malicious user could potentially alter this data to gain unauthorized access. To address this, we can leverage JSON Web Tokens (JWTs) to securely manage authentication claims.

Understanding the Risks

Currently, we're storing user data in a cookie as a simple JSON object. This approach is insecure because the cookie's value can be easily modified by users. For instance, a user could change their identity from "bob" to "admin" simply by altering the cookie value. This lack of validation makes our application vulnerable to unauthorized access.

Secure Alternatives for Storing User Data

1. Server-Side Sessions

One way to secure user data is by storing it server-side in a database. This involves creating a session table where each user has a unique session ID. The session ID, rather than sensitive user data, is stored in the cookie. This ID allows the server to retrieve user information securely from the database on each request. However, this approach requires a database query for every request, which can increase server load.

2. Using JSON Web Tokens (JWTs)

JWTs provide a secure way to encode user data, ensuring that any attempts to tamper with the data can be detected. JWTs are essentially claims encoded using cryptography. They consist of three parts:

• Header: Contains the type of token and the hashing algorithm used.

• Payload: Contains the claims, such as user information.

• Signature: A cryptographic signature that verifies the authenticity of the token.

Implementing JWTs with the jose Library

To implement JWTs in our Next.js application, we'll use the jose library, which provides a comprehensive JavaScript implementation of the JWT standard. Here's how we can integrate JWTs into our authentication flow:

Step 1: Install the jose Library

First, we need to add the jose library to our project:

npm install jose

Step 2: Generate a JWT in signInAction

In the signInAction function, we'll generate a JWT to replace the current cookie containing user data.

// File path: app/sign-in/actions.js

'use server';

import { SignJWT } from 'jose';
import { cookies } from 'next/headers';
import { redirect } from 'next/navigation';

const JWT_SECRET = new TextEncoder().encode('some-random-string');

export async function signInAction(formData) {
  console.log('[signInAction]', formData);
  const email = formData.get('email');
  const password = formData.get('password');
  const user = authenticate(email, password);
  if (!user) {
    return { isError: true, message: 'Invalid credentials' };
  }
  const sessionToken = await new SignJWT(user)
    .setProtectedHeader({ alg: 'HS256' })
    .sign(JWT_SECRET);
  cookies().set('sessionToken', sessionToken);
  redirect('/');
}

function authenticate(email, password) {
  if (email.endsWith('@example.com') && password === 'test') {
    return { email };
  }
}

Step 3: Understanding and Verifying JWTs

JWTs are not encrypted, meaning their contents can be decoded. However, the signature ensures that any modification to the token will be detected. To verify JWTs, we'll later implement logic to check the signature against our server's secret key.

Useful Resources

• JWT.io: JWT.io provides a convenient debugger for inspecting and verifying JWTs. You can paste a JWT to decode its contents and verify its signature.

• jose Library: The jose library on npm offers tools for creating and verifying JWTs, supporting various algorithms and cryptographic operations.

Conclusion

By transitioning to JWTs for handling user authentication, we've significantly enhanced the security of our application. JWTs ensure that any tampering with the user's identity is detectable, allowing us to maintain the integrity of our authentication system. In future steps, we’ll focus on verifying JWTs server-side to complete our secure authentication workflow.