Unnecessary check for username

[ka4ok85]

Looks like jwtTokenUtil.validateToken() should check only dates and should omit checking username. Since we use private key during token generation step Client has no ability to change username inside token. That's will save us one DB call for each request.

[skairamk]

I think, @ka4ok85 you are right. If a malicious user tampers the token and changes the username, will it not fail while parsing the token in getClaimsFromToken??

private Claims getClaimsFromToken(String token) {
    Claims claims;
    try {
        claims = Jwts.parser()
                .setSigningKey(secret)
                .parseClaimsJws(token)
                .getBody();
    } catch (Exception e) {
        claims = null;
    }
    return claims;
}

[szerhusenBC]

@ka4ok85 You are right, for simple validation it is completely sufficient to just check the token integrity. But it can be necessary in some scenarios to do more checks (e.g. against the db). Because this is just a demo I will leave it as it is and mention your comment in the code.