Securing API with jwt
Hey, I am building the apis for the user. After user logs in he receive a JWT token which gives him access to the rest of the APIs.
He now have access to updating his profile picture API which requests two things
1- picture (PNG, gif, jpeg)
2- his Id
After filling these the APIchecks if the id matches the IDhe has in his JWT with claims. If they don't the api will return "Unauthorized".
However a user can easily mess around with JWT and change the claims values. He can change the role from User to Admin, he can change his Id in the claims too!
I can stop asking the user for the id and just get it directly from the jwt token, but it is still not secure enough.
thank you for your help
He now have access to updating his profile picture API which requests two things
1- picture (PNG, gif, jpeg)
2- his Id
After filling these the APIchecks if the id matches the IDhe has in his JWT with claims. If they don't the api will return "Unauthorized".
However a user can easily mess around with JWT and change the claims values. He can change the role from User to Admin, he can change his Id in the claims too!
I can stop asking the user for the id and just get it directly from the jwt token, but it is still not secure enough.
thank you for your help
