CODEWITHSUNDEEP
javascriptnode.jsjwt
user13708746
user13708746

Reputation:

Opinion on a particular strategy for JWT authorization?

I've decided to implement JWT as an authorization method for a webapp I'm building. I choose this method because I like not needing to query my database on every request and because horizontal scaling is easier (I won't need to use sticky sessions on a load balancer).

The downside of this approach is that I have to set an expiration date/time on accessTokens otherwise users will have access to my webapp forever. The solution is to use refreshTokens.

But again, the downside here is I have to now maintain these tokens in my database so that I can revoke one if a user changes his/her password or an account becomes compromised.

I wondered if there's a better way?

So I came up with this strategy and I wanted your perspective in the event I've overlooked something:

1.) First, let me say that all user objects in my database maintain a property called "passwordLastChanged"

2.) On a successful login, I'll provide an accessToken with an expiration date that's valid for +4 hours in the future. The access token will also provide an additional field -- "absoluteExpire", which will be set to 7 days in the future (more on this below)

3.) At the end of 4 hours, when the user accesses a page requiring authorization, the system will first check the database, specifically the passwordLastChanged property.

If the passwordLastChanged is prior to the 4 hour expiration of the accessToken but after its creation date/time, the user is forced to re-login, resetting the whole token process (in other words, going back to step #2).

If the "absoluteExpire" has been reached, the user would also be forced to re-login.

Otherwise, the accessToken is refreshed for another 4 hours and the "absoluteExpire" attribute is carried over.

Am I overlooking anything obvious? Is this a good strategy?

Upvotes: 0

Views: 29

Answers (1)

Herbie Vine
Herbie Vine

Reputation: 2025

I'm a front-end developer and I find that if you only need Authentication through email/password, google, twitter, etc... Google firebase is the way to go. It's super easy to setup and to create a user it's as simple as:

import firebase from 'firebase/app'
import 'firebase/auth'

const createUser = (email, pwd) => {
  firebase.auth().createUserWithEmailAndPassword(email, pwd)
    .then(user => console.log(user))
    .catch(e => console.log(e)) 
}

Upvotes: 1

Related Questions