node.js - Invalidate JWT Token in NodeJS -

-

i followed tutorial using jwt token. token expiry set 5 minutes, if wanted invalidate token after 1 minute of use? want able make api call /api/logout , should delete token.

i'm using express , node.

it seems gather option have token db stores token. when want expire token, expire/remove token db.

i've seen people casually "remove" token physical hard space, cannot figure out token physically stored me remove it.

the general benefit of jwt token authentication tokens can contain session information keep in session store. saves considerable resources, in request-to-response times, because not have session data on each , every request - client gives that.

however, comes @ cost of not being able revoke jwt token @ time of choosing, because lost track of state.

the obvious solution of keeping list of invalidated tokens somewhere in database kind of removes above-described benefit because again have consult database on every request.

a better option issue short-lived jwt tokens, i.e. tokens valid 1 minute. web application, average user may perform several requests in minute (a user navigating around app). can give each user jwt token last minute , when request expired token arrives, you issue them new one.

update: issuing new access token after presenting expired token bad idea - should treat expired token invalid, if has been forged. better approach have client present refresh token prove user's identity, , issue new access token. note verifying refresh token must stateful operation, ie. must have list of valid refresh tokens per user somewhere in database, because if refresh token compromised, user must have means of invalidating token.


Comments

Post a Comment

Popular posts from this blog

node.js - Mongoose: Cast to ObjectId failed for value on newly created object after setting the value -

-
this question has answer here: what's mongoose error cast objectid failed value xxx @ path “_id”? 7 answers even though has been asked many times because entity has no valid objectid field. i came across situation objectid set value can casted objectid still error. the schema: var serviceschema = parammongoose.schema({ servicename:{ type: parammongoose.schema.types.objectid , ref: 'servicenames',required:true } }); pseudo code: servicefromdb=new service({servicename:'some name'}); servicefromdb.servicename='000000000000000000000001'; servicefromdb.save(function(paramerror,paramdata){ if(paramerror){ console.log('but but...',servicefromdb,paramerror) } }); the output of code is: but but... { servicename: 000000000000000000000001, _id: 55079a90286f49280364f78b } { [casterror: cast objectid faile...
Read more

gradle error "Cannot convert the provided notation to a File or URI" -

-
i have defined 2 system properties in gradle.properties: systemprop.builddir=build systemprop.cfgdir=build\\cfg and have following task defined in build.gradle: task clean(group:'clean',description:'clean project') << { ant.sequential { delete(dir: system.properties.builddir) mkdir(dir: system.properties.builddir) delete(dir: system.properties.cfgdir) mkdir(dir: system.properties.cfgdir) } } this generates following error: execution failed task ':clean'. > cannot convert provided notation file or uri: {dir=build}. following types/formats supported: - string or charsequence path, e.g 'src/main/java' or '/usr/include' - string or charsequence uri, e.g 'file:/usr/include' - file instance. - uri or url instance. but equivalent block of code not generate error , works expected: task clean(group:'clean',description:'clean project') << { ...
Read more

python - NameError: name 'subprocess' is not defined -

-
i'm trying make rng website: http://jamesdotcom.com/?p=417 . when run following code: captureimage = subprocess.popen( [ "fswebcam", "-r", "356x292", "-d", "/dev/video0", "static.jpg", "--skip", "10" ], stdout=devnull, stderr=devnull) captureimage.communicate() i following error message: nameerror: name 'subprocess' not defined what should do? thanks have imported first? import subprocess captureimage = subprocess.popen(["fswebcam", ...) subprocess included in python standard library since python 2.4. should not necessary install it.
Read more