At the moment I thought to put it nowhere, I thought I could sign the generated URL and compare the tokens and go from there.
Code is as follows:
const express = require(‘express’);
const app = express();
const randomId = require(‘random-id’);
const jwt = require(‘jsonwebtoken’);let len = 30;
let pattern = ‘aA0’;app.post(‘/api/application’, (req, res) => {
const url = randomId(len, pattern)
jwt.sign(url, ‘secretkey’, (err, token) => {
res.json({
token,
url
})
})
})app.get(‘/application/:url’, (req, res) => {
jwt.verify(req.params.url, ‘secretkey’, (err, authData) => {
if (err) {
res.sendStatus(403);
} else {
res.json({
message: ‘Access granted…’,
authData
})
}
})
})app.listen(‘3000’, () => console.log(“Listening on port: 3000”))
We can even get rid of the first form… My goal is just to generate a random url and if I make a GET request to it, I would like to have access to it.
I think it wouldn’t really matter if I would just use the token as parameter in the URL, though I would like to keep the URL as slim as possible, because I would like to email the URL to customer, and the URL should be accessed only once, so there shouldn’t be problem that someone could retrieve the payload from the token.