stackoom
  简体   繁体   中英

jwt.verify() returns jwt expired when the expiration is 24h

 原文  2019-05-14 12:04:05       javascript/ jwt

Question

I used jwt to create a token: 

const jwt = require('jsonwebtoken');
const token = jwt.sign({
filePath: "path/to/file"
}, 'secretKey', {
expiresIn: "24h"
});
try {
  console.log(token)
  var decoded = jwt.verify(token, 'secretKey');
} catch(err) {
 console.log(err)
}

jwt.header: 

{
  "alg": "HS256",
  "typ": "JWT"
}

payload: 

{
  "filePath": "path",
  "iat": 1557833831,
  "exp": 1557920231
}

When I test the snippet code mentioned above in my real app, I got an error message: 

jwt expired

Using the jwt debugger , the token is valid and should expire after 24h. The error returned by verify() which checks the expiration. How jwt checks the expiration? or it does not check it?

1 answers

solution1
 1 ACCPTED  2019-05-14 13:32:06

So since the question is, how does jwt check the expiration date, it depends on basically on some properties that may be implemented according to the JWT RFC

One would be exp . In case a token expires before the current datetime, then the JWT cannot be processed

The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.

Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

Another one to note would be the iat , which stands for issued at

The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

A final one that could be used for time verfication, as far as I am aware of would be, nbf , standing for not before

The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the "nbf" claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the "nbf" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

Now, for the code at hand, I don't see anything which is of, having following setup, this works perfectly fine for me 

const jwt = require('jsonwebtoken');

const token = jwt.sign( {
  hello: 'world'   
}, 'myverysecretkey', {
    expiresIn: '24h'
});

try {
    const verify = jwt.verify( token, 'myverysecretkey' );
    console.log( verify );
} catch (err) {
    console.error( err );
}

which would output 

Object {hello: "world", iat: 1557840459, exp: 1557926859}

This can be validated on the codesandbox link

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question jwt.verify not throwing error for expired tokens Node.js callback for jwt.verify() Error: Can't set headers after they are sent when return jwt.verify Why cant I use jwt.verify() from jsonwebtoken in react? Cannot overgive the user parameter to req.user in jwt.verify function Format hour to 24h Log out user when JWT has expired JWT expired with fetch javascript PassportJS Validates Expired JWT Handling Autologin with expired jwt
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM