CODEWITHSUNDEEP
javascriptnode.jsauthenticationjwtjson-web-signature
sishanov
sishanov

Reputation: 171

Keep refreshing JsonWebToken by any action form user

I use JsonWebtoken to create an access token for authentication purposes in my web app in node js using express.

I want to define an expiry date for this token but I don't know how It refreshes the "iat" by performing some activities by the user! basically, I want the expiry date starts over again if the user performs some activity within the period of 30 minutes since the last activity!

jwt.sign({ _userName: userName, _name: name + ' ' + sureName, _role: role.name }, config.get('jwtPrivateKey'),);

This is how I create the token. So the question is how can I refresh the token and send a new one in case of activity from the user within 30 minutes so that we can make sure that the user does not need to login in 30 minutes and the token is going to be valid ?! and then I want the token expires if the user does not perform any tasks for more than 30 minutes!

Upvotes: 1

Views: 396

Answers (2)

sishanov
sishanov

Reputation: 171

I fix it using this, so that I can generate a new one in case I need it

app.use(function (message, req, res, next) {
    try {
        if (typeof message === 'string') {
            let userName = req.body._userName;
            let name = req.body._name;
            let role = req.body._role;
            let token = generateToken(userName, name, role);
            res.header('z-auth-token', token).status(200).send(message);
        } else {
            next(message);
        }
    } catch (e) {
        next(e);
    }
    
});

Upvotes: 0

Nicholas Harder
Nicholas Harder

Reputation: 1558

The standard way to refresh an access token is to create a separate token, a "refresh token" (literally). Here is a blog post to get you started, blog post.

The basic idea is to send both tokens to the client. The access token expires in X time, and the refresh token expires in a much longer amount of time. Once the client gets an error from the server (unauthenticated), it sends another request to the server asking for a new access token. It passes the refresh token when making this request. The server checks if the refresh token is valid, and if so it will return a new refresh/access token pair to the client. It's important that the refresh token can only be used to get new access tokens, and the access token is used for retrieving data from the server.

Upvotes: 2

Related Questions