Passport-jwt token expiration
Solution 1
The standard for JWT is to include the expiry in the payload as "exp". If you do that, the passport-JWT module will respect it unless you explicitly tell it not to. Easier than implementing it yourself.
EDIT
Now with more code!
I typically use the npm module jsonwebtoken
for actually creating/signing my tokens, which has an option for setting expiration using friendly time offsets in the exp element of the payload. It works like so:
const jwt = require('jsonwebtoken');
// in your login route
router.post('/login', (req, res) => {
// do whatever you do to handle authentication, then issue the token:
const token = jwt.sign(req.user, 's00perS3kritCode', { expiresIn: '30m' });
res.send({ token });
});
Your JWT Strategy can then look like what you have already, from what I see, and it will automatically respect the expiration time of 30 minutes that I set above (obviously , you can set other times).
Solution 2
You can use the following strategy to generate JWT-token with expiration limit of 1 hr.
let token = jwt.sign({
exp: Math.floor(Date.now() / 1000) + (60 * 60),
data: JSON.stringify(user_object)
}, 'secret_key');
res.send({token : 'JWT '+token})
1fabiopereira
Updated on July 09, 2022Comments
-
1fabiopereira almost 2 years
I am using passport-jwt to generate my tokens but I noticed that the tokens never expire, is there any way to invalidate a particular token according to a rule set for me, something like:
'use strict'; const passport = require('passport'); const passportJWT = require('passport-jwt'); const ExtractJwt = passportJWT.ExtractJwt; const Strategy = passportJWT.Strategy; const jwt = require('../jwt'); const cfg = jwt.authSecret(); const params = { secretOrKey: cfg.jwtSecret, jwtFromRequest: ExtractJwt.fromAuthHeader() }; module.exports = () => { const strategy = new Strategy(params, (payload, done) => { //TODO: Create a custom validate strategy done(null, payload); }); passport.use(strategy); return { initialize: function() { return passport.initialize(); }, authenticate: function() { //TODO: Check if the token is in the expired list return passport.authenticate('jwt', cfg.jwtSession); } }; };
or some strategy to invalidate some tokens
-
Mr. B. about 7 yearsCould you solve it?
-
-
Ernest Zamelczyk almost 7 yearsIf you're still doing that I would suggest to stop. You're missing the whole point of JWTs as they should be stateless.
-
trojek over 6 yearsWhat are the best practices to extend the lifetime of token? For example, if a user wants to spend more than 30 minutes in the application?
-
Paul over 6 yearsThis is done through what's commonly referred to as a 'refresh token', which basically means you ask for a new auth token against a specific endpoint. The client application has to be proactive about this, usually. More details: auth0.com/blog/…
-
Marc DiMillo over 6 yearsYeah exactly, bad practice here. Better alternatives for a stateful approach.
-
stefano over 3 yearsAs stated previously, JWT are stateless and should not be stored in the database
-
iamcrypticcoder almost 2 yearsI added
expiresIn: '10s'
but doesn't work. Token is working after 10 seconds.