What data should be recorded in the jwt (node.js + mongo)?

To generate token using
jwt = require('jsonwebtoken');
/* next code */

//function to create a token
function createToken(user) {
 return jwt.sign(user, config.secret, { expiresIn: 60*60*5 });
}

/* next code */

//after registration/authorization ( if successful) it calls the function to generate a token
createToken(user);


I would like to know best practices, what data you want to pass to the function to generate a token.
Will it, for example, login (John) and id( ObjectId("5821d94dbb021a1360582da3") in the case of MongoDB)?
And, here, I think it's a relevant question:
Once I have the token to store some information that allows you to initialize user, I can get its data from the database. Is it right to initialize the user based on the jwt? To initialize Libu use express-jwtwhich, if successful, sets the req.user?
Thank you.
July 2nd 19 at 18:11
1 answer
July 2nd 19 at 18:13
Solution
Login to put in the token is not necessary. The token should not be "personal information", but the ObjectId is already possible. It does not fit under "personal", as 5821d94dbb021a1360582da3 it is impossible to learn something about the user if you have not stole a base (could be wrong).

Will lead in any case, the whole code of the roat with the issuance of the token, if you are not particularly useful, so maybe someone will scold, because the backend is not strong. The code is not in the promises, and collbato (as in ancient times). It's bad. With the help of promises to be "more flat" and easy to support code.

const express = require('express')
const router = express.Router()
const User = require('../models/user')
const v4 = require('node-uuid').v4
const jwt = require('jsonwebtoken')

router.post('/signup', (req, res, next) => {

 req.check('email', 'Please enter a valid email').len(1).isEmail()
 req.check('password', 'Please enter a password with a length between 4 and 34 digits').len(4, 34)

 const errors = req.validationErrors()

 if (errors) {
 return res.status(400).json({ errors })
 } else {
 User.hashPassword(req.body.password, (err, passwordHash) => {
 if (err) {
 return res.status(400).json({ error: err.message })
}

 const user = new User({
 name: req.body.name
 nickname: req.body.nickname
 email: req.body.email
 password: req.body.password
})

 user.passwordHash = passwordHash
 user.save((err, item) => {
 if (err) {
 return res.status(400).json({ error: err.message })
}
 const payload = {
 _id: item._id,
 iss: 'http://localhost:3000',
 permissions: 'poll',
}
 const options = {
 expiresIn: '7d',
 jwtid: v4(),
}
 const secret = new Buffer(process.env.AUTH0_CLIENT_SECRET, 'base64')
 jwt.sign(payload, secret, options, (err, token) => {
 return res.json({ data: token })
})
})
})
}
})

router.post('/signin', (req, res, next) => {

 req.check('email', 'Please enter a valid email').len(1).isEmail()
 req.check('password', 'Please enter a password with a length between 4 and 34 digits').len(4, 34)

 const errors = req.validationErrors()
 const password = req.body.password

 if (errors) {
 return res.status(400).json({ errors })
 } else {
 User.findOne({ email: req.body.email }, (err, user) => {
 if (err) {
 return res.status(400).json({ error: err.message })
}
 if (!user) {
 return res.status(400).json({ error: 'User not found' })
}
 User.comparePasswordAndHash(password, user.passwordHash, (err, areEqual) => {
 if (err) {
 return res.status(400).json({ error: err.message })
}
 if (!areEqual) {
 return res.status(400).json({ error: 'Wrong password' })
}
 const payload = {
 _id: user._id,
 iss: 'http://localhost:3000',
 permissions: 'poll',
}
 const options = {
 expiresIn: '7d',
 jwtid: v4(),
}
 const secret = new Buffer(process.env.AUTH0_CLIENT_SECRET, 'base64')
 jwt.sign(payload, secret, options, (err, token) => {
 return res.json({ data: token })
})
})
})
}
})

module.exports = router;


In the future, a piece of payload:
const payload = {
 _id: item._id,
 iss: 'http://localhost:3000',
 permissions: 'poll',
 }

you can "decode" directly on the client, which is very convenient.

Find more questions by tags MongoDBExpress.jsNode.js