⚠️ This lesson is retired and might contain outdated information.

Encrypt IBM Domino User Roles Data into a JWT in a Express Application

Mark Barton
InstructorMark Barton
Share this video with your friends

Social Share Links

Send Tweet
Published 6 years ago
Updated a year ago

This lesson will digitally sign the IBM Domino user information into a JWT which can then be sent from the server to the client.

This JWT can then be sent back from the client to the server and the role information within the JWT file can be decrypted to determine a users level of functional access.

Instructor: [00:01] The first thing we're going to do is install a new library in our Node server called JSON Web Token. We're then going to modify our user roles root. The first thing we're going to do is deconstruct the roles and user name from the response.

[00:14] For convenience, we're going to set an expiry on the JWT file of seven days. Remember, Domino is still doing the security role. Even if the user says they have a certain role, if they don't have access to the data, Domino will still reject it.

[00:30] We'll just have a date, which will be today. Expiry date, and pass it in the today date, and we're adding seven days. Our payload is going to be an object. The JWT library will have a signs method of that object.

[00:48] The first thing we're going to have is the user name, the roles, the expiry. This is a standard for JWT, EXP, and then we need a secret. For now, we're going to hard-code a secret in here. We'll use the secret to decode the JWT later on. We'll just use Egghead for now. Finally, we're going to send the JWT token back to the client.

[01:17] Let's see what that looks like. Firing up the browser to our local host with the index.html, so our service running. The first thing I'm going to do is log in so that we refresh our local token. We successfully logged in, and we got the Domino session ID stored in our local storage.

[01:37] Now if I call get user roles, what should happen is if I look in the console, we actually get back a nice long string. If I look at the network tab, this should probably be easy to see. Our response is a Base64-encoded string.

[01:53] JWT tokens are not protecting any sort of privacy. You shouldn't put anything secret in here, because if I go to another website here, which is called jwt.io, if I scroll up, and if I paste my token in, you can see on this side that actually, it's decrypted my JWT token.

[02:14] There is my name, and my roles. Just to be aware, do not store anything secret in your JWT token. The important thing is if I try and manipulate this Base64 in the client and send it back, my Node server will reject the token, and therefore not respect the roles that I'm trying to say I have.

egghead
egghead
~ 14 minutes ago

Member comments are a way for members to communicate, interact, and ask questions about a lesson.

The instructor or someone from the community might respond to your question Here are a few basic guidelines to commenting on egghead.io

Be on-Topic

Comments are for discussing a lesson. If you're having a general issue with the website functionality, please contact us at support@egghead.io.

Avoid meta-discussion

  • This was great!
  • This was horrible!
  • I didn't like this because it didn't match my skill level.
  • +1 It will likely be deleted as spam.

Code Problems?

Should be accompanied by code! Codesandbox or Stackblitz provide a way to share code and discuss it in context

Details and Context

Vague question? Vague answer. Any details and context you can provide will lure more interesting answers!

Markdown supported.
Become a member to join the discussionEnroll Today