Question: how would you renew a token?

[papaiatis]

Hi all,

I'm just started with JWT and it looks very promising!
I have backend (npm) and frontend (angular2) too. When the user logs in I create a JWT and send it to frontend. I use your angular2-jwt module to store the token in localStorage.
So user uses the webpage without any issues and then suddenly he gets an error telling him his token is expired. This is valid, because, lets say, he logged in 2 hours ago and the JWT is configured to expire after 2 hours. But in the meantime the user used the website so the JWT should have been continuously updated with an expiry time of "last activity + 2 hours".
Am I right? If so, how would you do that?

Thank you!

[ziluvatar]

@papaiatis some questions to understand context:

• Login to backend which generates the JWT with 2h expiration. How do you login the user (ajax, full render)?
• User plays around the website. What do you use the JWT token for? Does the frontend send it in each request to the backend? Is it only to be stored in the browser and check the time when the token expires?

[papaiatis]

@ziluvatar

• User logs in through ajax, token is sent back with the response and stored in localStorage
• Right now, the payload holds the roles of the user, so some of the pages, links, content are hidden when user does not have permission for it. The token is only sent once when the user logs in. (I guess that's the problem). The token expiration is checked each time the user initiates an ajax request back to the server.

Thanks!

[ziluvatar]

The token expiration is checked each time the user initiates an ajax request back to the server.

Who checks that? frontend or backend?

Frontend: You may not need that, just keep in your js code a "timer", it gets restarted/checked on every action (timer > exp - iat (or custom claim saying 2 hours) => force login)

Backend: You would need to renew the token and send it back on each server action (cookie? header?)

renew the token: maybe with something like: #172

[papaiatis]

Who checks that? frontend or backend?

Actually both. In frontend I'm using this module: https://github.com/auth0/angular2-jwt which checks the token on each request. In backend, I check it manually.

Thanks for the tip, I'll take a look at the mentioned issue ASAP.

[papaiatis]

Sorry for the late reply. So I ended up creating a "renew token" API endpoint which I call when my angular 2 application starts up and then every 5 minutes. The server then returns me back a renewed token which I store in local storage.

[ziluvatar]

Thanks for letting us know your final solution!

[anuragpathak2608]

@papaiatis
@ziluvatar
Requesting new token from client-side in your case Angularjs will cause swquirty issue.
If your token gets leaked your application may get compromised completely.
And if we provide the functionality to the client to request fresh token it will allow an attacker to use the token for an indefinite time. And this will make the exp value of 2hours in token useless.

From security perspective, the token should be pushed from the server site instead of client-side to
so that if your valid token gets leaked attacker can not use the same token for more than exp time here it is 2 hrs.

I'm not sure how can we do it as it will conflict with the stateless property of JWT.