I've been using Passport JWT for Auth and the payload for signing is username and seller.
Now the issue is that every time i update username and tries to fetch userdetails it gives 401. So i'm looking for a way to handle this gracefully using passport jwt in nestjs
How about using the user id and the seller id as payload? These values won't change and therefore the token stays valid even when the username changes
Related
I have a jwt token returned by surrealdb's signin() method.
How do I populate a user object on authenticated requests using this token?
You can't get user data from the token but you should use the user's provided details to create a Userobject. You will need to store the token in a session store or on the client side to send it in the future requests.
In my current test node express project, I use JWT. For a POST route, I need the user who fires the request. Therefore I send the JWT with the request. In the NodeJs controller, I have access to the supplied token.
I decode this and then have the user email, exp and iat. Is it now correct that I only start a DB query with the decoded email of the user, with which I receive the user object?
Or do I have to do another validation step? I don't miss any other validation but I find it somehow unsafe.
I decode this and then have the user email, exp and iat. Is it now correct that I only start a DB query with the decoded email of the user, with which I receive the user object?
You can use the email from the decoded JWT token only after its validation. Once you validate it, you know that user information is legitimate unless your secret is compromised.
You need to use an auth middleware that will allow the request to access the next middleware and the controller logic.
Or do I have to do another validation step? I don't miss any other validation but I find it somehow unsafe.
If the encoded JWT token is validated correctly, you don't need to add any validation for decoded data, however, it is important to validate the data coming in the request (You can use Joi).
I want to enforce a single user session feature for my Angular app because my customers share a single account with their coworkers.
The issue currently, with my implementation. is revoking a valid token stored a client's local storage, particularly a valid Refresh token.
The scenario is:
User 1 logs in with valid username and password, the bearer token will expire in an hour, the refresh token will expire in two weeks
User 2, uses the same username and password two hours later. User 2 is prompted that they are logged in on another device and asked the question of they would like to expire that session and start a new session.
User 2 says yes and the now User 1's session in invalid.
The problem is that User 1 still has a valid Refresh token.
I have no way revoke this refresh token. My Auth API will accept is valid and I will not know whether it is User 1 or User 2's refresh token.
Do I need to start storing refresh token values in my database to resolve this issue? I also thought I could use a different JwtAuthKeyBase64 for User1 and User2, as a way to invalidate User1's token but this doesn't seem like a good way to be using the ServiceStack JwtAuthProvider.
The JWT RefreshToken is used to contact the Auth Server to fetch a new JWT Bearer Token. It will only return a BearerToken if the User still has Access so you can lock the User Account by populating UserAuth.LockedDate which will prevent the user from retrieving a new JWT Bearer Token.
If you want more custom validation you can implement IUserSessionSource and throw an Exception in GetUserSession() to return an Error Response instead of the JWT Bearer Token.
is it possible to make jwt token expired after one of the user's property has changed ( for example - activated: false or role: [ADMIN] )? Or maybe there is another way to solve this problem?
Typically a JWT expires only when the expiry date for that token passes. But this doesn't mean that a JWT cannot expire logically for other reasons. One example would be that your Node application receives a request with a valid JWT, but the token belongs to a user whose account was recently deactivated. The workflow might look something like this:
Your Node app receives the JWT
It decrypts the JWT, and extracts the username
Then it queries a user table in your database to check the status of the account
Having discovered that the account is not active, your Node app redirects to the login page with an error message
It is generally up to you to determine how to proceed with a JWT. The JWT just protects the token from being manipulated by the user.
passport , passport-jwt , jsonwebtoken , express-jwt ..etc
I’m confused, when to use which and which to use with which?
I was building my own MEAN app not too long ago and ran into the same questions. This cleared it up very well.
https://jonathanmh.com/express-passport-json-web-token-jwt-authentication-beginners/
Basically, you use jsonwebtoken to generate the token. This is returned to the client who in turn sends it every time he makes a request. This is typically passed in the auth header. Passwort-jwt check this auth header and verifies it's validity. If it is invalid, it returns a 401, otherwise it populate your req.user.
passport-jwt:
In this strategy, server validates user credentials and returns encrypted user object i.e token. Client can save token using cookie, local-storage, or other mechanism. Then on every user request it validates token and proceed request.
express-jwt:
You can use it as multi-tenancy purpose like,
Validate user credentials and encrypt data like passport-jwt.
https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens
OAuth: you can create jwt token and validate using secret key.
https://auth0.com/learn/json-web-tokens/