1fabiopereira
1fabiopereira

Reputation: 542

Passport-jwt token expiration

I am using passport-jwt to generate my tokens but I noticed that the tokens never expire, is there any way to invalidate a particular token according to a rule set for me, something like:

'use strict';
const passport = require('passport');
const passportJWT = require('passport-jwt');
const ExtractJwt = passportJWT.ExtractJwt;
const Strategy = passportJWT.Strategy;
const jwt = require('../jwt');
const cfg = jwt.authSecret();

const params = {
    secretOrKey: cfg.jwtSecret,
    jwtFromRequest: ExtractJwt.fromAuthHeader()
};

module.exports = () => {
    const strategy = new Strategy(params, (payload, done) => {
        //TODO: Create a custom validate strategy
        done(null, payload);
    });
    passport.use(strategy);
    return {
        initialize: function() {
            return passport.initialize();
        },
        authenticate: function() {
            //TODO: Check if the token is in the expired list
            return passport.authenticate('jwt', cfg.jwtSession);
        }
    };
};

or some strategy to invalidate some tokens

Upvotes: 18

Views: 31800

Answers (4)

Nicolas Bodin
Nicolas Bodin

Reputation: 1591

If you want to manipulate expiresIn with seconds

const { sign } = require('jsonwebtoken');

function generateToken(id) {
  const options = {
    expiresIn: 10, // seconds
    algorithm: 'RS256'
  };
  const payload = {
    sub: id,
    iat: Math.floor(Date.now() / 1000)
  };
  return sign(payload, 'PRIVATE_KEY', options);
}

Upvotes: 0

Sumit Kumar
Sumit Kumar

Reputation: 823

You can use the following strategy to generate JWT-token with expiration limit of 1 hr.

let token = jwt.sign({
    exp: Math.floor(Date.now() / 1000) + (60 * 60),
    data: JSON.stringify(user_object)
}, 'secret_key');
res.send({token : 'JWT '+token}) 

Upvotes: 2

Paul
Paul

Reputation: 36349

The standard for JWT is to include the expiry in the payload as "exp". If you do that, the passport-JWT module will respect it unless you explicitly tell it not to. Easier than implementing it yourself.

EDIT

Now with more code!

I typically use the npm module jsonwebtoken for actually creating/signing my tokens, which has an option for setting expiration using friendly time offsets in the exp element of the payload. It works like so:

const jwt = require('jsonwebtoken');

// in your login route
router.post('/login', (req, res) => {
  // do whatever you do to handle authentication, then issue the token:

  const token = jwt.sign(req.user, 's00perS3kritCode', { expiresIn: '30m' });
  res.send({ token });
});

Your JWT Strategy can then look like what you have already, from what I see, and it will automatically respect the expiration time of 30 minutes that I set above (obviously , you can set other times).

Upvotes: 29

1fabiopereira
1fabiopereira

Reputation: 542

I created a document in the database that stores the generated tokens and added an expiration date, when the user makes the request check if the token is expired or no.

This is verify strategy that I used.

/* ----------------------------- Create a new Strategy -------------------------*/
const strategy = new Strategy(params, (payload, done) => {

    const query = {
        token: jwtSimple.encode(payload, credentials.jwtSecret),
        expires: {$gt: new Date()}
    };

    TokenSchema.findOne(query, (err, result) => {
        if (err) done(err, null);
        if (!result) done(null, null);
        done(null, payload);
    });
});
passport.use(strategy);
/* -------------------------------------------------------------------------------*/

It's work for me.

Upvotes: -5

Related Questions