[英]Invalidate JWT Token in NodeJS
I followed this tutorial for using JWT token.我按照本教程使用 JWT 令牌。 The token expiry is set to only 5 minutes, but what if I wanted to invalidate the token after 1 minute of use?
令牌到期时间设置为仅 5 分钟,但如果我想在使用 1 分钟后使令牌失效怎么办? I want to be able to make an API call to
/api/logout
and that should delete my token.我希望能够对
/api/logout
进行 API 调用,这应该删除我的令牌。
I'm using Express and Node.我正在使用 Express 和 Node。
It seems like from what I could gather to do my option is to have a token db that stores the token.从我可以收集到的内容来看,我的选择似乎是拥有一个存储令牌的令牌数据库。 When I want to expire my token, I then expire/remove the token from the DB.
当我想使令牌过期时,我会从数据库中使令牌过期/删除。
I've also seen people casually say "remove" the token from the physical hard space, but I cannot figure out where the token is physically stored for me to remove it.我也看到有人随便说从物理硬空间中“删除”令牌,但我无法弄清楚令牌物理存储在哪里以供我删除它。
The general benefit of a JWT token authentication is that the tokens can contain all the session information you would normally keep in your session store. JWT 令牌身份验证的一般好处是令牌可以包含您通常会保存在会话存储中的所有会话信息。 This saves considerable resources, especially in request-to-response times, because you do not have to look up session data on each and every request - the client gives you all that.
这节省了大量资源,尤其是在请求到响应时间,因为您不必在每个请求上查找会话数据 - 客户端为您提供所有这些。
However, it comes at the cost of not being able to revoke a JWT token at a time of your choosing, because you lost track of state .但是,代价是无法在您选择的时间撤销 JWT 令牌,因为您丢失了 state 的跟踪。
The obvious solution of keeping a list of invalidated tokens somewhere in your database kind of removes the above-described benefit because you again have to consult the database on every request.在数据库中的某处保留无效令牌列表的明显解决方案消除了上述好处,因为您必须再次在每次请求时查询数据库。
A better option would be to issue short-lived JWT tokens , ie tokens valid only one minute.更好的选择是发行短期 JWT 令牌,即仅一分钟有效的令牌。 For a web application, an average user may perform several requests in a minute (a user navigating around your app).
对于 Web 应用程序,普通用户可能在一分钟内执行多个请求(用户在您的应用程序中导航)。 You can give each user a JWT token that will last a minute and when a request with expired token arrives,
you simply issue them a new one.
您可以为每个用户提供一个持续一分钟的 JWT 令牌,当带有过期令牌的请求到达时,
您只需向他们发出一个新
令牌
。
Update : Issuing a new access token after presenting an expired token is a very bad idea - you should treat an expired token as invalid, as if it has been forged.更新:在提供过期令牌后颁发新的访问令牌是一个非常糟糕的主意 - 您应该将过期令牌视为无效,就好像它是伪造的一样。 Better approach is to have the client present a refresh token which will prove the user's identity, and only then issue new access token.
更好的方法是让客户端提供一个刷新令牌来证明用户的身份,然后才发布新的访问令牌。 Note that verifying a refresh token must be a stateful operation, ie.
请注意,验证刷新令牌必须是有状态的操作,即。 you must have a list of all valid refresh tokens per user somewhere in your database, because if the refresh token is compromised, the user must have a means of invalidating that token.
您必须在数据库中的某处拥有每个用户的所有有效刷新令牌的列表,因为如果刷新令牌遭到破坏,用户必须有办法使该令牌无效。
1) Simply remove the token from the client 1)只需从客户端删除令牌
2) Create a token blacklist 2)创建令牌黑名单
3) Just keep token expiry times short and rotate them often 3)保持令牌到期时间短并经常轮换它们
Please have a look at Invalidating JSON Web Tokens Invalidating JSON Web Tokens请查看 Invalidating JSON Web Tokens Invalidating JSON Web Tokens
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.