Token verification and validation #783
Description
My name is Nour, and I am currently working on a project in Django (RestAPI) that heavily relies on token-based authentication using Simple JWT. As a contributor to Simple JWT, I am reaching out to seek clarification on some security-related concerns.
I would like to inquire about the automatic verification of tokens provided by Simple JWT. Specifically, I am interested in understanding whether Simple JWT automatically verifies tokens to prevent manipulation by hackers, such as altering the user_id, jti, or other token claims.
Furthermore, I would like to know if relying on the IsAuthenticated permission class and request.user.is_authenticated property is sufficient to ensure the extreme validation of tokens, or if it is advisable to manually verify tokens using jwt.decode.
Given the critical role of token security in our project, I want to ensure that we are implementing the most robust authentication mechanism possible. Any insights or recommendations you can provide would be greatly appreciated.
Thank you very much for your time and assistance. I look forward to hearing from you soon.