Menu
I just implemented a json web token authentication, on my backend I send the token which is created by jsonwebtoken to the client as following:
var token = jwt.sign(user, secret.secretToken, { expiresInMinutes: 1 });
return res.json({ token: token });
and on the client side I simply store this token to the SessionStorage. The thing is that the token does not expire after a minute, am I missing something?
EDIT: I implemented same thing which is shown in this post.
327
The JWT access token is only valid for a finite period of time. Using an expired JWT will cause operations to fail. As you saw above, we are told how long a token is valid through expires_in . This value is normally 1200 seconds or 20 minutes.
Note: If you set ttl=0, the token will never expire. This can pose a security risk and should be used with caution.
There are two methods of registering the expiry of the token both are shown below with an explanation. Creating an expression of an expiry time. Providing expiry time of JWT token in the options argument of the method.
This first JWT had a body approximately 180 characters in length; the total encoded token length was between 300 and 600, depending on the signing algorithm used. The next JWT payload was of approximately 1800 characters, so ten times the size of the previous token.
I found myself having the same problem when not providing an object as the first argument to jwt.sign, e.g. jwt.sign('testuser', secret.secretToken, { expiresIn: '1h' });.
This wrong usage of jwt.sign does work even though it is wrong, it just ignores the provided settings. https://github.com/auth0/node-jsonwebtoken/issues/64
Be sure to provide an object as first argument, like jwt.sign({user: 'testuser'}, secret.secretToken, { expiresIn: '1h' });
Update: There have been reported problems with usage of non standard javascript objects, such as from mongoose. Version 5.5.2 has a fix for this. More details here. Thanks @gugol for the notice. Make sure you pass a plain object with the properties you need, not a direct database object or similar.
85
The token will not automatically be deleted from the Session storage. However, if you try to verify that the token is valid, the expired token should be invalid.
From this tutorial, the validity check should throw an exception:
if (token) {
try {
var decoded = jwt.decode(token, app.get('jwtTokenSecret'));
// handle token here
} catch (err) {
return next();
}
} else {
next();
}
Verify is also included in the jsonwebtoken package. And this is from the docs:
(Synchronous with callback) Returns the payload decoded if the signature (and optionally expiration, audience, issuer) are valid. If not, it will return the error.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
