node.js - koa-jwt如何使用

Answer 1

1. First of all, you need to know the functions of koa-jwt. Currently, only the functions of decode, sign and verify are provided. You said that the token expired koa-jwt module does not provide special functions. verify.

2. How to tell if token has expired? Let me briefly introduce jwt to you first, and then teach you how to determine expiration.

2.1 jwtIntroduction

JSON Web Token(jwt) In web pages, many operations require verifying user permissions, determining whether the user is logged in, etc. There are generally two implementation methods: one is through session and cookie; the other is to use authentication token. There are two main advantages to using token for authentication.

• The server does not need to request the DB to obtain user information, because the user information is already stored in the token.

• The token authentication method is equally applicable to mobile terminals and PC terminals, and the server does not need to maintain two sets of authentication mechanisms.

A standard jwt is composed of 3 parts <header>, <payload> and <signature>

• Header: base64 encoded json object, including the encryption algorithm used, etc.

• Payload: base64 encoded json object, which stores user-related information.

• Signature: A signature string generated based on Header, PayloadA and a key (known only to the server), using the encryption algorithm specified in the Header.

2.2 How to judge failure

There are many ways to determine when a token has expired. I will list a few here for you to choose from

• jwt provides expiration parameter settings. When issuing a token (when koa-jwt calls sign), set the exp attribute in the Payload. This is the Registered Claims provided by jwt (reserved Statement), remember it must be greater than the current time, for example, set to expire 10 minutes after the current time

{
  exp: Date.now()+10*60*1000,
}

Then you can 持久化 store it in your localstorage, sessionStorage or cookie. This token is passed to the server through the request, and will be reported during verification (when calling koa-jwt's verify) TokenExpiredError

Thrown error if the token is expired.

Error object:

- name: 'TokenExpiredError'
- message: 'jwt expired'
- expiredAt: [ExpDate]

• After the server generates the token, you can save the token in the cookie (or sessionStorage) in the return of the request, and then set the expiration time of the cookie expire, so that next time you request When the token cannot be obtained in the header or body of the request, you will know that the token has expired (similar to the code you provided, but remember to set the expiration time of the cookie that stores the token).

• Customize attributes similar to exp, because exp is a reserved attribute, so you can set a time when origin-iat was last issued, and then store it persistently. After detaching the token, determine the current Does the time difference between the time and origin-iat reach your expiration time? If it reaches it, you will need to re-authenticate and re-issue the token. The pseudo code is as follows

var profile = jwt.verify(req.header.token || req.body.token, secret);

  // if more than 7 days old, force login
  if (Date().now() - profile.original_iat  > 7 * 24 * 60 * 60 * 1000) { // iat == issued at
    return res.status(401).json({ isError: true, error: { message: 'Access Forbidden'}}); // re-logging
  }

The difference between the several methods is: The first and third methods can always get the token through request, but the token may expire. The second way is that the token may not be obtained through the request. It's up to you to make the appropriate choice based on your business needs.

Attachment: JSON Web Token Specification RFC 7519