Refresh token #122
Comments
|
OK thanks. But some example of how to implement with node-jsonwebtoken? |
|
+1 |
1 similar comment
|
+1 |
|
is there a way to reissue the same token but just change the expiry date? |
|
kinda same as #133 but is there any official support to refresh a token? jwt.updateToken(token, data) |
|
@morgondag I think your implementation is very dangerous since you are not assigning any expiration time to the token. It means that if some hacker gets the token, he/she can access your API indefinitely. |
|
@mateeyow sounds good, so what we are asking for is a way to update a token. So there is no real way to update a token or change it expiry date without generating a new key. I guess the best way is simply to force to user to login again and again and again :-/ |
|
I am also having trouble finding good information on:
|
|
+1 |
|
any progress? |
|
you can verify user using previous token, then generate a new one for that user. Like: jsonwebtoken.verify(token, mySecret, function (err, user) {
if (err) {
return res.json(err);
}
if (user.id)
res.json({
newToken: jwToken.issue({
id: user.id
})
});
}); |
|
This is what I ended up doing on my end. My token is already verified by the time I hit my refresh function. I don't refresh the token if it still has enough time to live. This may or may not be necessary, but saving a bit of calculation when not necessary. Written in TypeScript, but the logic is the same. Should be generic enough to be used in many different circumstances. |
|
@jppellerin nice! would be nice to have that in the jwt api with a pull request <3 |
|
There's an idea... started working on it... |
|
https://github.com/jppellerin/node-jsonwebtoken/tree/refresh-token Refresh will work for a token that is decoded without the |
…dpoint to refresh a token. A refresh is considered to have the same token returned, but with a later expiry time.
Can take into account the header + payload of a decoded token ie : {complete: true}
More in depth testing with comparision of equality
Testing failures and async mode
Added description for refresh in README.md
|
@jppellerin, Hi, any news on the PR? |
|
@jppellerin, thx for quick reply ) |
|
And how about refresh token that never expires? Any idea how to implement and how it differs security wise? here stackoverflow @jfromaniello says that it depends on the type of application what if I have to support web/mobile/native application? |
|
A token that never expires doesn't need to be refreshed. From the docs :
This means that if no As to the strategy that you use - that's a bit up to the design of your application. For example, we are building a web app and we don't want the token to live forever, nor do we want the user to be logged out mid-action when the token reaches it's expiry. Therefore, we refresh the token when the user is active. This means that our web app needs to be constantly updating the token on the front-end to ensure that they're always using the updated/refreshed version. I've never done mobile, but assuming a similar strategy can be used. Hope that helps. |
|
Thx again for your help, spent two days trying to figure out the best way. now I got something to start from. |
|
@Kiura My pleasure. Good luck! |
|
Is there a reason that the PR hasn't been merged yet? |
|
+1 |
|
+1 It's seem's like no one has get the best practise? |
|
+1 |
|
@mitchellporter @alianrock It seems that the maintainers of the library haven't yet decided if they want this as part of their API (it seems to me that they don't). Therefore it is pretty much left to the developer to implement it's own flavour of this. We have been using the code form pull request #172 for over a year in production. |
|
Fixed by documentation: #371 |
|
@jppellerin Hi, if I understand correctly, is this PR applicable only to tokens that have not yet expired? |
Any ideas of how to implement the refresh token?
Seems nobody has written nothing...
The text was updated successfully, but these errors were encountered: