In backend I've made by nestjs, jwt token is expired in 30s after created.
but frontend is still not loging out.
I dont know when will be NbAuthJWTToken expired.
Related
I am creating a Node js / Express js based, login registration system using JWT (i am using JSONWEBTOKEN npm library).
Whenever a user login, that user gets a pair of access and refresh token. Now for accessing resources user need to send access token to backend.
Now when i verify the access token send by user to backend and if it will not get verified then it produces three types of error (as mentioned is JSONWEBTOKEN library in npm):
Token Expired Error: If i get this error, then in that case i will send response to frontend to send the request to refresh token route to get a new pair of access and refresh token.
JsonWebTokenError: If i get this error then it means that access token is malformed. Then in this case what should i do? Should i logout a user or should i will send a response to frontend to send request to refresh token route to get a new pair of access and refresh token. <-- This is the main question should i logout a user?
NotBeforeError: Since i am not using nbf claim and then in that case i dont need to worry about it.
Please provide your useful suggestion. while building backend security plays an important role.
This is useful to read: JWT refresh token flow.
Talking short, you should logout user if refresh token malformed or expired.
According to JWT idea, access token is short-life token. When it doesn't pass validation due to malformed or expired you have to send refresh token to server to get new pair. User continues to work using new access token without interruption.
If JWT is malformed then just block that call by responding with 403. that's fine. The application then takes the decision on it to refresh the token or not.
When a user logs out please revoke the issued token even if it is a JWT.
JWT also needs to be revoked as best practice. Yes, JWTs are self tokens and expirations already part of themselves. But if user logs out and still their JWTs are not expired means someone can use that token to call different APIs. So it is a security breach.
To avoid such things we should maintain JTI claim of that JWT in our backend with the same TTL with the value of JWT "exp". When the user logs out we have to clear those JTIs and notifcy the API callers about this just putting into some event service from their API Gateways should get to be notified and clear their side cached tokens if anything and cross check with identity system (Introspection).
This is we have to design the system to avoid further security related issues.
First thing is that user will be logged out from front end side.
front end will send request to your node server and token will be verified. Server will only send the response that token is expired or malformed and based on that front end will perform the action.
If token is expired then request for new token.
Is token is malformed then based on your requirements you can show results to your end user. You can either logout user or you can show unauthorized page too.
Suppose, you have role based website and some unauthorized user is trying to access root level routes then you can show unauthorized page.
Error:
google.auth.exceptions.RefreshError: ('invalid_grant: Token has been expired or revoked.', {'error': 'invalid_grant', 'error_description': 'Token has been expired or revoked.'})
However, another app I use, with a different account, never runs into any issues. I use the same Python OAuth Quickstart for both.
Token has been expired or revoked.
Basically means just that either the user has revoked your access or google has. Users can remove your access directly in their google account when ever they want to.
Google expired tokens
If you are using a gmail scope, and the user changes their password. Your refresh token will probably be revoked.
If your app is still in testing and the refresh token is more then seven days old the users consent will be removed and the refresh tokens will be revoked.
If the refresh token has not been used in more then six months the refresh token will be revoked.
If the user authroizes you app you get a refresh token, if the do it again you get another refresh token. both will work. You can have up to 50 outstanding refresh tokens for a user. If you request again then the first one will be expired. Ensure you are always storing the most recent refresh token.
no matter what the cause your application should be configured in a way as to request authorization from them again if the refresh token has expired.
I am trying implementing JWT Tokens(Access tokens and Refresh tokens), but I come to an issue on requesting a protected resource with an expired access token, while the refresh token is still valid.
I know that I should not use refresh tokens to request resources, refresh tokens should be used against authorization validators to revalidate/regenerate access tokens.
In my app, the User can log in by POST request with a valid credential to get Access token(exp. in 1min) and Refresh token(exp. in 10min.). Say now User making a request 30 sec later of login and sends both tokens, then tokens get checked and resource comes back. If now user makes a request after 2min and sends tokens, his access token is Invalid, in this scenario how can I proceed with the request and revalidate tokens.
I can think of middleware to validate and provide tokens and send that with the response, but is this the right approach?
Then I need to handle and restore tokens on the client-side for every response. Don't I?
Also, I do not want to prompt users to re-login. I am using Node and Express for Server and React on Client.
Here are your steps:
Try to login
Receive 401 from server when token is invalid
Request a new access token by making a new refresh request.
Set the new access token and refresh token
Retry original request
This has to be done on the client side because it is the audience that gets validated for authorization.
Usually we don't set the access token to expire every minute because the described process would add too much latency to the process.
Edit from #MComment:
5 min for access tokens and 30 min up to a few hours is what is generally recommended for respectively access and refresh tokens. Usually Authorization Servers offer "rolling refresh" - refresh token's expiration is renewed whenever you use it. This way a user stays logged in as long as they are actively using the website
You can update expired date of access token in every request, no need to regenerate token.
I think session time you set is not normal and recommended.
If you dont want user must re-login, make a forever refresh token, create a function in reactjs for re-generate access token by refresh token if it expired.
Revoke refresh token only when u want to logout from this client.
I am developing an application where clients will receive the broadcasts from the server. I am planning to use nodejs, express and web sockets. I'll be using jwt refresh token with jwt auth token for authentication and authorization. I have prepared a mock for my approach.
Post successful login, I'll be providing an auth token with expiration time as 5 days and an access token with expiration time as 120 seconds. All the resource's access is granted based on the access token.
The client will be calling the rest server's token api to refresh the access token every 90 seconds and will update it in local storage.
Server : https://codesandbox.io/s/websocket-server-sygp1
Client : https://codesandbox.io/s/websocket-client-8b356
Is this the correct approach for authorization with websockets?
I have searched a lot for refresh token authorisation using WebSocket but haven't found anything concrete, so came up with this approach.
I have a react app with a node/express back end. I am currently using JWT to make calls to protected routes on the back end. This all works fine. But I want to keep the user logged in for more than just 30 min or so.
What is the best way to handle securing sessions or refreshing an access token when it expires on a client side application?
My Solutions:
-One:
Create a refresh and an access token. Have the access token be short lived. And sign the refresh token with a unique id given to the user in the database. Then check verify the token with this id. Then when the access token expires send a 401 back and then get the refresh token from local storage to create new tokens and then try the call again.
Problem with this: there is a lot of back and forth going on and it seems slow.
-Two
Send both the refresh token and the access token on each call and if the access token is expired use the refresh token to create new tokens then proceed.
Problem with this: I don't see why I would then need to send 2 tokens I could just send one and get the job done with that. But then if one or both tokens become compromised they could regenerate forever.
-Three
Send the access token expiration to the front end and if the token is expired send the refresh token and verify it with the unique identifier in the database. Then generate new tokens and continue.
Problem with this: Not sure how secure this would be. But for now this seems like the best solution.
So I am wondering what is the best way to handle refreshing an access token when it expires so the user can keep using the platform?
I'm saying this from experience not a source but the whole idea of JWT s that it's sessionless. there's another solution for handling sessions.
With jwt, you don't need to save it in your database as you sign that JWT with a secret key and you can just verify that JWT has been issued using your secret key. and you can issue that JWT to be valid for more than 30 minutes. It's totally fine. I myself have set it to 180 days. and because it's so long, a user will log in again in this time so you don't have to worry about expiration. but if you want to handle that too, you can parse it in your front end and check it's expiration timestamp and get another JWT before it expires.