Since I cant use SSL over some servers that are sending sensitive data using bearer tokens. I was thinking about assigning an IP address when the user logs in, and attaching it to each JWT in a database, and checking it before refreshing it (short lived access tokens). The problem ive found is that I dont know how to securely retrieve the IP in the backend.
I have seen that you can set a app.set('trust proxy', true) to your express initialization and then retrieve ip addresses with req.ip , but apparently since app.set trusts proxies, it means that the headers received by express can be modified by an attacker right? So it would be pointless, since anyone could embeed a fake ip.
Is there any alternative to this that is not using ssl, and not using aes to encrypt the bearer tokens?
As mentioned by CaptEmulation, you should always enable SSL on production servers especially when authenticating users.
That being said, I believe it is not possible to spoof an IP address when sending a request to a server. The IP address is used to route data back to an attacker so it has to be either the attacker’s ISP-assigned, VPN-assigned or proxy-assigned IP.
IMPORTANT WARNING: As mentioned by jfriend00, although it is not possible to spoof an IP, without SSL, it is possible to put together a man-in-the-middle attack and intercept or manipulate the data that is sent between users and the server.