Comments (11)
Refresh tokens mechanism can be easily implemented using this package. Nothing more is needed
from jwt.
Took me half a day to figure this out, so I hope this helps others.
E.g For Token Creation/Signing
- Module
@Module({
imports: [JwtModule.register({})], // Must register with empty options object...
})
export class SomeModule {}
- Signing/Creation
constructor(private jwtService: JwtService){}
...
...
const payload = { userdetails: userdetails };
const accessToken = this.jwtService.sign(payload, {
secret: accessConfig.secret, // unique access secret from environment vars
expiresIn: accessConfig.signOptions.expiresIn, // unique access expiration from environment vars
});
const refreshToken = this.jwtService.sign(payload, {
secret: refreshConfig.secret, // unique refresh secret from environment vars
expiresIn: refreshConfig.signOptions.expiresIn, // unique refresh expiration from environment vars
});
...
// Store refresh **token-hash** in DB
...
// return tokens to client
return {
accessToken: accessToken,
refreshToken: refreshToken,
};
Eg. For Token AuthGuard Strategy
- AuthGuard Strategy
@Injectable()
export class JwtRefreshStrategy extends PassportStrategy(
Strategy,
'jwt-refresh-strategy',
) {
constructor() {
super({
jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
ignoreExpiration: false,
secretOrKey: jwtRefreshConfig.secret, // gets secret from environment variables
});
}
async validate(payload: any) {
// DB checks for refresh token: valid, revoked, etc...
...
...
return { username: payload.username };
}
}
My suggested changes to this package:
- Handle registration if JwtModule is imported but not registered with empty object.
- Update docs to make clear that JwtModule can simply be imported, and JwtService can be passed options.
Eg. What this package should do:
@Module({
imports: [JwtModule], // Import like any other module
})
export class SomeModule {}
...
...
// Package should have some conditional check
// Sudo code example
if(!JwtModuleRegistered) {
JwtModule.register({});
}
from jwt.
Refresh tokens mechanism can be easily implemented using this package. Nothing more is needed
@kamilmysliwiec The ingenious answer. Can you show this easy implementation?
from jwt.
@shamahan Yes, but where do you refresh one?
My solution is: /auth/refresh route which accept refresh token from headers then validate by secret and check token in db. If token valid and stored in db I would recreate tokens and update refresh token in db.
from jwt.
@Brock-Wood Contributions to the docs are more than welcome! If you are interested, feel free to create a PR with any improvements you think might be useful 💪
from jwt.
Just for the reference, here is my VERY basic implementation: modernweb-pl/vue-nest-monorepo#32
from jwt.
@Photon79 You may generate two tokens one as access_token second as refresh_token with different expiresIn time.
from jwt.
@shamahan Yes, but where do you refresh one?
For me one of the possibilities seems to be implementing a custom AuthGuard which would throw a custom exception which then would be caught by exception filter
from jwt.
You can follow the same instructions with this package as it's using the jsonwebtoken
under the hood.
from jwt.
You can follow the same instructions with this package as it's using the
jsonwebtoken
under the hood.
Well.... I just took a look at her again, and you obviously are correct, but man the docs should really point this out. I'll update my previous comment to reflect the correct way using this package.
Thanks!
from jwt.
@Brock-Wood Many thanks! ❤️
from jwt.
Related Issues (20)
- sign function dosent take secret registred in module HOT 1
- secretOrPrivateKey must have a value HOT 3
- jwt module shoud extends ConfigurableModuleClass HOT 1
- Wrong dependency @types/jsonwebtoken HOT 1
- vulnerability in dependancy jsonwebtoken <=8.5.1 HOT 1
- Updating `jsonwebtoken` dependency HOT 3
- Update `@types/jsonwebtoken` to ^9.0.0 HOT 2
- secretOrPrivateKey must have a value HOT 1
- secretOrPrivateKey has a minimum key size of 2048 bits for RS256 after upgrade to nest/jwt 10.0.2 HOT 1
- How to invalidate a token? HOT 2
- BigInt not supported HOT 1
- type error while using `expiresIn` in `signAsync` HOT 7
- Expose internal Jsonwebtoken errors from @Next/jwt HOT 1
- Issue: Missing 'requestProperty' in @nestjs/jwt Library HOT 1
- JsonWebTokenError: secretOrPublicKey must be an asymmetric key when using RS256 HOT 1
- Error: secretOrPrivateKey must have a value HOT 1
- No valid invalid token for verification HOT 2
- wrong signature for sign() HOT 1
- Unexpected behavior when getting a value from .env file for expiresIn property via the ConfigModule / ConfigService HOT 1
- Can not import JwtService, JwtModule after installed
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jwt.