Comments by "T J" (@TJ-hs1qm) on "ByteByteGo" channel.

  1. Related blog post article "Why you should not use JWT" Quick JWT Pros & Cons from the article: JWT PROS (article's view, often with caveats): 👍 Stateless: User data in token, no immediate DB lookup. 👍 Microservices: Services can verify tokens on their own. JWT CONS (article's main warnings): 👎 LOGOUT/INVALIDATION: Very hard! Tokens are live until they expire. 👎 ENCODED, NOT ENCRYPTED: Big one! JWT payloads are just Base64 encoded (readable), NOT private/encrypted by default. Don't leak sensitive data! 👎 Workarounds Add Complexity: Blocklists or refresh tokens add back state/complexity, fighting the "stateless" goal. 👎 Overall Complexity: More to manage than simple bearer tokens. 👎 Other Security Risks: `alg:none` issues, JSON parsing vulns. Article's Takeaway: Most devs should be very wary of JWTs due to these issues (especially logout & data exposure if misunderstood). Simpler bearer tokens are often better. From a 2024 perspective, here's some added nuance: The "can't logout/invalidate" argument is key. Today, the standard solution is: * *Short-Lived JWTs:* Access tokens that expire quickly (e.g., 15 mins). * *Long-Lived Refresh Tokens:* Used to get new access JWTs. Logout means invalidating this refresh token server-side. This limits the window a compromised JWT is useful. While the article says blocklisting negates JWT benefits, checking a refresh token or a JWT ID in an in-memory store (like Redis) is often much faster than a full traditional session lookup. So, some performance benefits can remain. Also, important security notes: * *Encoded, NOT Encrypted:* The article rightly flags that JWT payloads are Base64URL encoded (readable), NOT encrypted by default. Don't put sensitive data in them unless you use JWE! * *`alg:none` Risk:* Modern JWT libraries are generally much safer by default against this old vulnerability. The article's point about JWTs being "only for microservices" is a bit strict. They're also widely used for SPAs and mobile apps (with the refresh pattern) to manage auth state without traditional cookies. The core message of "understand the complexity" is still very valid. JWTs aren't a magic bullet, and simple server-side sessions are often a great, simpler choice. But the "never use JWTs" stance is a bit strong today, as the industry has largely adopted patterns to mitigate the biggest concerns. It's about trade-offs!
    1