JWT update in Express.js
I am using JWT for authentication in my Angular.js app, with Express.js on the server side.
Basically when the user logs in, a new token is generated (using https://github.com/auth0/node-jsonwebtoken ) and sent back to the client. If the token is valid also client-side (angular.js part using https://github.com/auth0/angular-jwt ) a new user is created and the token is stored in the cookie.
This way, every request to a specific path on the server is protected by token validation. However, my token has an expiration date. Now let's say, for the sake of argument, that the expiration time is 30 seconds; the user can actively use my application for 30 seconds, after which he logs out. This is not very convenient.
So what I did is that with every request to the server, I create a new token and send it back to the head of the response. When I get a response on my Angular.js side, I read the token and overwrite the token in the cookie. Thus, while the client is active (more precisely, making requests on the server side), the token is updated.
Now I would like to know the following:
- Is this approach correct? The downside is that a token is generated on every request and sent back to every part of the response. Cookies are frequently overwritten (performance issues?)
- What would be the correct approach?
- Is it good that the token expires if there are no requests on the server? The client can still use the application, however, if it is just writing to the client side (or reading), the token is not updated.
Thanks for your time and answers!
source to share
-
Yes, this is a valid approach. This is the same approach that many are taking, including the popular Angular ng-token-auth module . You might consider storing tokens in local storage, with cookie storage, if the browser doesn't support it (see http://caniuse.com/#feat=namevalue-storage for coverage).
-
I would do what you described.
-
One solution is to use the
$interval
ping API. All you have to do is send to a token to receive a new one (i.e. in headers like you are now). Keep track of how many emails you sent. You can reset the number of "pings" for certain actions, for example on ui-router$stateChangeSuccess
(ie Go to a new view) or whatever, including submitting a form or other non-ping requests. When the number of "pings" reaches your threshold, alert the user to end the session and, after a delay, delete the stored token and exit. Check your ping responses for authentication errors from the API, indicating that the user may need to log out and / or redirect.
Perhaps you just gave 30 seconds as an example of the token expiration date. I would recommend getting close to the browsing session timeout you want. As points of reference, note that the default value for Ruby gem devise_token_auth is 2 weeks and that .NET defaults to 10 hours. Your needs may vary.
source to share
The issue is also fixed with refresh tokens. Your access token has a short lifespan and is verified by signatures. The refresh token has a longer lifespan and is used to obtain new access tokens.
When a refresh token is used to obtain a new access token, this is a good time to perform additional checks: does a refresh token exist? Is this user account still valid?
Both tokens can be stored in secure cookies and delivered on every request. This allows your server to transparently use the refresh token when needed and set new access tokens in cookie responses.
This is the approach we used for Express-Stormpath and is documented in our Authentication documentation. If you want to offload your authentication layer, I would suggest Stormpath . (Disclaimer: I work there and wrote this module).
source to share