Clever Geek Handbook

React Native + JWT still need to update token?

On login, a JWT access token is sent from the server and stored in AsyncStorage in the RN.

Now I want the user to stay in the log for 5 years while they either:

  • log off

  • admin revokes its token

  • they register on 3 devices, change their password on one of the devices, which have to log out of them from the other 2 devices until they log in on those devices

  • lose your phone and log in with another device to log out of all devices

It looks like I would have to store JWT tokens in the DB (I know there is no point in JWT tokens and defeats the purpose they use based on my reading), but I need to know the user's tokens, their different devices in order to revoke them.

One thing that confuses me is to read that access tokens should be short-lived, say 60 minutes, and refresh the tokens for a long time, say 5 years in my case.

I don't understand why we cannot use access tokens to have a 5 year lifespan (per device), store them against the user in the DB so that we can identify their tokens and revoke their tokens based on the above points? What would be the point of the refresh token, would it even be needed in this case?

Note. I also read that we cannot revoke access tokens, but we can only revoke refresh tokens, so I am really confused. Should I send the access token and refresh token to RN and use the refresh token for the authorization alert header and only store the refresh token in the DB? Then what will be the point of the access token if it is not the one in the database?

I think it should be something simple to implement, but my criteria is a 5 year login and the ability to revoke tokens according to the points above.

What's the correct solution for this situation?

+3


source to share


1 answer


Access tokens are short-lived, which is 24 hours by default. But why? Why not 5 years?

  • Anyone with an access token is guaranteed access to what the user (to whom it was originally issued) can get. This means that the server cannot distinguish between this user and anyone else who has an access token .

  • There is no way out . I mean, you can redirect your frontend to the login page to have it enter credentials, but there is no genuine logout on the server. Technically, a user can use the same access token to continue accessing (until it expires).

  • Access tokens cannot be revoked . Access tokens are not valid until they expire. Anyone can use it before the token expires. For example, if the expiration date is set to 5 years and I accidentally get your token, I can access it before it expires, which in this case would be 5 years. This makes it more sense to set the expiration time to less than 24 hours.

Now let's look at your requests. "I want the user to be subscribed until"

  • Logs out

Send the refresh token to the user after they sign in. Store the access token and update the token very securely. After its access token has expired, use the refresh token to get a new access token. Move this until it logs out. When it logs out, remove the access token and refresh the token in the frontend and revoke the refresh token on the server side. (Again, if he somehow obtains an access token, he can still access his account before it expires)

  1. Administrator revokes token

Server cannot revoke access tokens, as I said earlier, after it has been issued before expiration, no matter what -> But only as long as the user has an access token: P Remove the access token as soon as it will open the app if it hasn't launched the last app in the last 1 hour or so. Now the front end is forced to get a new access token using the refresh token it saved. Now do you want the user to log out? Discard the refresh token.

  1. Logout to all devices after changing the password

Same as 2. After it changes the password, revoke all refreshed tokens (in case you don't want the user to log in again, revoke all refresh tokens except the current device). Your app on all devices will be forced to get a new access token using a refresh token, but since you've revoked it, the user has no other way than to log in using their credentials.

  1. User logout from all devices

Same as 3. Changing the password triggers logout on all devices, and here you just need to add an "Logout on all devices" button which will send a server request that cancels all refresh tokens except the current device.

Caveat : The session of the current user cannot be closed; You need to wait for the user to log out of the application to remove the current access token. A workaround is to remove the access token as soon as the application is closed (or even minimize the application), or set the access token to expire to 30 minutes, provided you can tolerate the latency caused by getting a new access token using the refresh token every time he does it. You need time to compromise for security, or vice versa, depending on your application specifications.



"This is all fine, but I don't want to update the token in the first place" (alternative solution):

I do not recommend storing tokens as this is detrimental to the very purpose of scaling and preventing light DDoSes by increasing the response time that is increased due to the db request. But since Redis is a remarkably fast in-memory key store, some people prefer to store access tokens in it. Well, how does it work?

Setting: after the user logs in, an access token is issued. save it to Redis, then send it to the user.

  • Check JWT signature && & token integrity, if it fails, no db request. Send back 404 user not found. It will be as fast as JWT without the Redis feature.

  • If that succeeds, check Redis for the token. IF it exists, grant access. If it is not, ask the user to log in again. Note that this will be a little slower than providing access using just JWT, but hey, you don't store Postgres or Mongo in it, which can take a few milliseconds; Redis, which is a key store - and for it sits in memory (not the store) - is significantly faster than that.

Access is granted if and only if both conditions are met: the JWT is valid. JWT is present in Redis

Responding to your requests:

Exits are now possible. When the user removes the logout, remove the access token from Redis. He cannot login even if he has an access token. The access token is now literally invalid.

  1. Disable Administrator: Remove access tokens for this user from Redis.

After the user has been granted access to the server, you allow the user to issue a request to remove all other tokens with the same user id (or uid), which will allow the user to log out

  1. After changing the password, run this request

  2. If you are logging out of other devices, follow this prompt.

Finally, log out 1. Remain logged in until the user is logged out: now that you have the authority to revoke an access token that you did not have, when you are not using Redis, you can have 5- summer valid access token if you follow other necessary security measures to prevent misuse of the access token.

+2


source






More articles:


All Articles