JWT有效负载内的令牌
[英]Token inside JWT payload
问题描述
Is it a good idea to have a random generated token inside the JWT payload and check is with the database on each request? 
在JWT有效负载内部有一个随机生成的令牌,并在每个请求中检查数据库是否是个好主意?
I've done my reseach on JWT and how it actually works, and I know its main purpose is to avoid querying the database on each request to authorize the user, but I still have to do it as I need certain information about the user who is making the request. 我已经完成了对JWT及其实际工作的研究,我知道它的主要目的是避免在每个请求中查询数据库以授权用户,但我仍然必须这样做,因为我需要关于用户的某些信息正在提出要求。
I also need a good solution to immediately revoke a token if I need to. 如果需要,我还需要一个很好的解决方案来立即撤销令牌。 Blacklisting the token seems like a good solution intially, but that would require extra requests and I don't think it's worth the effort. 将令牌列入黑名单似乎是一个很好的解决方案,但这需要额外的请求,我认为这不值得付出努力。
So the solution I came up with is to generate a random token and save that token in my database and also put it in the JWT payload. 因此,我提出的解决方案是生成随机令牌并将该令牌保存在我的数据库中,并将其放入JWT有效负载中。 That way when a user makes a new request, it first checks if the JWT token is valid and if it is, it then checks if the token associated in the payload is valid. 这样,当用户发出新请求时,它首先检查JWT令牌是否有效,如果是,则检查有效负载中关联的令牌是否有效。
So if a user needs to change his password for example, his token would change and all JWT tokens with the previous token in their payload would fail to validate. 因此,如果用户需要更改其密码,例如,他的令牌将更改,并且其有效负载中具有先前令牌的所有JWT令牌将无法验证。
So the solution would be like this: 所以解决方案是这样的:
When the user registers, it is assigned with a randomToken and also stored inside the payload. 当用户注册时,它被赋予randomToken并且也存储在有效载荷内。 If registration is successful, the server returns the jwtToken generated. 如果注册成功,则服务器返回生成的jwtToken。
var jwtToken = jwt.sign({token: randomToken}, PRIVATE_KEY, SIGN_OPTIONS);
So when a user makes a new request, it first checks if the JWT token is valid. 因此,当用户发出新请求时,它首先检查JWT令牌是否有效。
var legit = jwt.verify(token, JWT_PUBLIC_KEY, SIGN_OPTIONS);
If it is, it the proceeds to checking the token inside the payload with the user token in the database. 如果是,则继续使用数据库中的用户令牌检查有效负载内的令牌。
SELECT * FROM users WHERE token = legit.token
If everything is correct, it then proceeds with the normal request. 如果一切正确,则继续正常请求。
1 个解决方案
解决方案1
0 2019-06-14 16:49:55
'Is it a good idea...' is not a very good way to ask a question, but I will try to answer it... “这是一个好主意......”不是一个提出问题的好方法,但我会尝试回答它......
1. JWT is secure 1. JWT是安全的
The reason behind the private key is to make sure the user does not change the token. 私钥背后的原因是确保用户不更改令牌。 Therefore, it's totally secure to store an object that is used often in the token, and there is no need to store the token anywhere. 因此,存储令牌中经常使用的对象是完全安全的,并且不需要将令牌存储在任何地方。 The signed object would look like this: 签名对象如下所示:
{
expirationDate: 1560530063664,
...user data
}
2. Blacklisting and Revoking Tokens 2.黑名单和撤销令牌
To blacklist a certain token I believe the best way is the way you came up with. 要将某个令牌列入黑名单,我相信最好的方法就是你提出的方式。 Depending on how many users you have accessing the website simultaneously, it might be possible/a good idea to just use an array thigh. 根据您同时访问网站的用户数量,可能/一个好主意只需使用阵列大腿。
Although it may be nice to have the ability to blacklist a token, is it really necessary? 虽然能够将令牌列入黑名单可能会很好,但它真的有必要吗? If the user updates their password, do they really need to be logged out? 如果用户更新了密码,他们真的需要注销吗? If you still think you need a token store I believe there are multiple npm packages to do so... 如果您仍然认为您需要一个令牌存储,我相信有多个npm包可以这样做......
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.