Passport-jwt token expiration

node.js express passport.js jwt

23,814

Solution 1

The standard for JWT is to include the expiry in the payload as "exp". If you do that, the passport-JWT module will respect it unless you explicitly tell it not to. Easier than implementing it yourself.

EDIT

Now with more code!

I typically use the npm module jsonwebtoken for actually creating/signing my tokens, which has an option for setting expiration using friendly time offsets in the exp element of the payload. It works like so:

const jwt = require('jsonwebtoken');

// in your login route
router.post('/login', (req, res) => {
  // do whatever you do to handle authentication, then issue the token:

  const token = jwt.sign(req.user, 's00perS3kritCode', { expiresIn: '30m' });
  res.send({ token });
});

Your JWT Strategy can then look like what you have already, from what I see, and it will automatically respect the expiration time of 30 minutes that I set above (obviously , you can set other times).

Solution 2

You can use the following strategy to generate JWT-token with expiration limit of 1 hr.

let token = jwt.sign({
    exp: Math.floor(Date.now() / 1000) + (60 * 60),
    data: JSON.stringify(user_object)
}, 'secret_key');
res.send({token : 'JWT '+token})

23,814

Author by

1fabiopereira

Updated on July 09, 2022

Comments

1fabiopereira almost 2 years

I am using passport-jwt to generate my tokens but I noticed that the tokens never expire, is there any way to invalidate a particular token according to a rule set for me, something like:

'use strict';
const passport = require('passport');
const passportJWT = require('passport-jwt');
const ExtractJwt = passportJWT.ExtractJwt;
const Strategy = passportJWT.Strategy;
const jwt = require('../jwt');
const cfg = jwt.authSecret();

const params = {
    secretOrKey: cfg.jwtSecret,
    jwtFromRequest: ExtractJwt.fromAuthHeader()
};

module.exports = () => {
    const strategy = new Strategy(params, (payload, done) => {
        //TODO: Create a custom validate strategy
        done(null, payload);
    });
    passport.use(strategy);
    return {
        initialize: function() {
            return passport.initialize();
        },
        authenticate: function() {
            //TODO: Check if the token is in the expired list
            return passport.authenticate('jwt', cfg.jwtSession);
        }
    };
};

or some strategy to invalidate some tokens

Mr. B. about 7 years

Could you solve it?

Ernest Zamelczyk almost 7 years

If you're still doing that I would suggest to stop. You're missing the whole point of JWTs as they should be stateless.
trojek over 6 years

What are the best practices to extend the lifetime of token? For example, if a user wants to spend more than 30 minutes in the application?
Paul over 6 years

This is done through what's commonly referred to as a 'refresh token', which basically means you ask for a new auth token against a specific endpoint. The client application has to be proactive about this, usually. More details: auth0.com/blog/…
Marc DiMillo over 6 years

Yeah exactly, bad practice here. Better alternatives for a stateful approach.
stefano over 3 years

As stated previously, JWT are stateless and should not be stored in the database
iamcrypticcoder almost 2 years

I added expiresIn: '10s' but doesn't work. Token is working after 10 seconds.