I'm using jsonwebtoken on my node js server and inside the jsonwebtoken i store the role of the user.
So everytime he do a request i just have to check if the required role is given in the token. But do people can change this role ? I know everyone can see it but i guess no one can change it without my secret, right ?
Off course i m always checking the jsonwebtoken is correctly signed. Do you think this method seems good ? Sorry, english is not my main language
On
if you change the jwt data and then hash it with a different signature then you server will know its a fake token.
also make sure you use https so your tokens wont be available to sniffs.
if you store your token in a cookie make sure you put your cookie with http-only to prevent cookie highjack
also i recommend you to use csrf token to prevent csrf attacks
I guess you store the jwt in a Cookie or in LocalStorage on the client side.
So ofc, the user can delete or alter the cookie but he can't read it without your secret.
So if he tries to update the token, it will probably become corrupted and unreadable from your server side.
If the token is corrupted you'll probably want to log-out the user and redirect him to the login page.