Comments (2)
It works like this
- User logs in and is issued an access token and refresh token
- Something is changed in their account, potentially revoking access to some part of the system
- The users access token continues to be valid until it expires, they can potentially still access the revoked part of the system (unless the backend is validating on each request).
- The users access token expires and they refresh with the refresh token.
- The new access token has the change to their authorization, potentially denying them all access.
So in effect the expiry time of the access token is the maximum time authorization may be granted to the user. The refresh token defined how long can be elapsed before they have to refresh or login again, at which point a server check is done to issue, or deny to issue, an access token with the appropriate claims.
from node-jsonwebtoken.
Guess due to the nature of JWT - stateless, it's necessary to leverage some stateful mechanism on server side to remedy this, say, block list, token version, session, etc..
from node-jsonwebtoken.
Related Issues (20)
- Jsonwebtoken don't support verbatimModuleSyntax typescript compiler option
- How to prevent users with expired JWTs from receiving Firebase Cloud Messaging notifications after automatic logout?
- Performance regression on crypto `createPublicKey` and `createPrivateKey` APIs after node v17 HOT 1
- `sign` crashes with `validator.isValid is not a function` for certain objects HOT 2
- why need two keys ? HOT 2
- TypeError: invalid 'instanceof' operand KeyObject HOT 13
- Set options via Environment Variables
- Rename `decode` function `unsafeDecode` to highlight the risk HOT 6
- Importing `decode` function from jsonwebtoken causes error HOT 3
- Verify an already decoded token HOT 2
- JWT payload size > 475 bytes
- Signature generation fails for SM2 private keys with ES256 algorithm for node 18 version HOT 1
- What if any user stole my accessToken and paste it to his browser cookie storage (using browser delveoper tool) ? HOT 1
- Disallowing Validation of Expired Tokens
- GCP KMS to Create JWT
- Use along KMS asymmetrical key
- Error using jsonwebtoken: global is not defined HOT 2
- import `jsonwebtoken` throws error HOT 4
- Documentation Duplicacy
- What happened? The performance of jsonwebtoken 9.0.2 is 50 times slower than 8.5.1 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-jsonwebtoken.