28Ağu
Changing credentials: Should I send the password next to the JWT?
I'm wondering: when the user changes their password or their e-mail address, should I expect the current password in the request body and verify it at my backend? The advantage seems to be that a stolen JWT doesn't suffice to steal one's identity, the disadvantage that the plain-text password is sent more often than strictly necessary, increasing the risk of a man-in-the-middle attack. (Since an e-mail address can be used to reset a password, I see no need for a distinction between changing a password and changing an e-mail address.)
And, if I decide to require the password for these change requests - is there any point in requiring a JWT at all?
