问题描述
我遵循了教程教程用于使用JWT令牌.令牌的有效期仅设置为5分钟,但是如果我想在使用1分钟后使令牌失效怎么办?我希望能够对/api/logout
进行API调用,这应该删除我的令牌.
I followed this tutorial for using JWT token. The token expiry is set to only 5 minutes, but what if I wanted to invalidate the token after 1 minute of use? I want to be able to make an API call to /api/logout
and that should delete my token.
我正在使用Express和Node.
I'm using Express and Node.
从我可以收集来做的选择看来,似乎是有一个存储令牌的令牌数据库.当我想使令牌过期时,然后从数据库中过期/删除令牌.
It seems like from what I could gather to do my option is to have a token db that stores the token. When I want to expire my token, I then expire/remove the token from the DB.
我还看到人们随便说从物理硬盘空间中删除"令牌,但是我无法弄清楚令牌的物理存储位置以便我将其删除.
I've also seen people casually say "remove" the token from the physical hard space, but I cannot figure out where the token is physically stored for me to remove it.
推荐答案
JWT令牌认证的一般好处是,令牌可以包含您通常会保留在会话存储区中的所有会话信息.这样可以节省大量资源,尤其是在请求到响应的时间,因为您不必在每个请求上都查找会话数据-客户端为您提供了所有这些.
The general benefit of a JWT token authentication is that the tokens can contain all the session information you would normally keep in your session store. This saves considerable resources, especially in request-to-response times, because you do not have to look up session data on each and every request - the client gives you all that.
但是,由于您失去了状态跟踪,因此无法选择时取消了JWT令牌.
However, it comes at the cost of not being able to revoke a JWT token at a time of your choosing, because you lost track of state.
在数据库中某种位置保留无效令牌列表的明显解决方案消除了上述好处,因为您必须在每次请求时都再次查询数据库.
The obvious solution of keeping a list of invalidated tokens somewhere in your database kind of removes the above-described benefit because you again have to consult the database on every request.
一个更好的选择是发布短期的JWT令牌,即令牌仅有效一分钟.对于Web应用程序,普通用户可能会在一分钟内执行多个请求(一个用户在您的应用程序中导航).您可以给每个用户一个JWT令牌,该令牌将持续一分钟,当令牌过期的请求到达时,您只需向他们发出一个新的令牌即可.
A better option would be to issue short-lived JWT tokens, i.e. tokens valid only one minute. For a web application, an average user may perform several requests in a minute (a user navigating around your app). You can give each user a JWT token that will last a minute and when a request with expired token arrives,
更新:提供过期令牌后发出新的访问令牌是一个非常糟糕的主意-您应该将过期令牌视为无效令牌,就好像它是伪造的一样.更好的方法是让客户端出示刷新令牌,该令牌将证明用户的身份,只有这样发出新的访问令牌.请注意,验证刷新令牌必须是有状态操作,即.您必须在数据库中的某个位置列出每个用户的所有有效刷新令牌的列表,因为如果刷新令牌遭到破坏,则用户必须具有使该令牌失效的方法.
Update: Issuing a new access token after presenting an expired token is a very bad idea - you should treat an expired token as invalid, as if it has been forged. Better approach is to have the client present a refresh token which will prove the user's identity, and only then issue new access token. Note that verifying a refresh token must be a stateful operation, ie. you must have a list of all valid refresh tokens per user somewhere in your database, because if the refresh token is compromised, the user must have a means of invalidating that token.
这篇关于使NodeJS中的JWT令牌无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!