Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Question: how would you renew a token? #316

Closed
papaiatis opened this issue Feb 20, 2017 · 7 comments
Closed

Question: how would you renew a token? #316

papaiatis opened this issue Feb 20, 2017 · 7 comments
Labels

Comments

@papaiatis
Copy link

Hi all,

I'm just started with JWT and it looks very promising!
I have backend (npm) and frontend (angular2) too. When the user logs in I create a JWT and send it to frontend. I use your angular2-jwt module to store the token in localStorage.
So user uses the webpage without any issues and then suddenly he gets an error telling him his token is expired. This is valid, because, lets say, he logged in 2 hours ago and the JWT is configured to expire after 2 hours. But in the meantime the user used the website so the JWT should have been continuously updated with an expiry time of "last activity + 2 hours".
Am I right? If so, how would you do that?

Thank you!

@ziluvatar
Copy link
Contributor

@papaiatis some questions to understand context:

  • Login to backend which generates the JWT with 2h expiration. How do you login the user (ajax, full render)?
  • User plays around the website. What do you use the JWT token for? Does the frontend send it in each request to the backend? Is it only to be stored in the browser and check the time when the token expires?

@papaiatis
Copy link
Author

@ziluvatar

  • User logs in through ajax, token is sent back with the response and stored in localStorage
  • Right now, the payload holds the roles of the user, so some of the pages, links, content are hidden when user does not have permission for it. The token is only sent once when the user logs in. (I guess that's the problem). The token expiration is checked each time the user initiates an ajax request back to the server.

Thanks!

@ziluvatar
Copy link
Contributor

The token expiration is checked each time the user initiates an ajax request back to the server.

Who checks that? frontend or backend?

Frontend: You may not need that, just keep in your js code a "timer", it gets restarted/checked on every action (timer > exp - iat (or custom claim saying 2 hours) => force login)

Backend: You would need to renew the token and send it back on each server action (cookie? header?)

renew the token: maybe with something like: #172

@papaiatis
Copy link
Author

papaiatis commented Feb 23, 2017

Who checks that? frontend or backend?

Actually both. In frontend I'm using this module: https://github.com/auth0/angular2-jwt which checks the token on each request. In backend, I check it manually.

Thanks for the tip, I'll take a look at the mentioned issue ASAP.

@papaiatis
Copy link
Author

Sorry for the late reply. So I ended up creating a "renew token" API endpoint which I call when my angular 2 application starts up and then every 5 minutes. The server then returns me back a renewed token which I store in local storage.

@ziluvatar
Copy link
Contributor

Thanks for letting us know your final solution!

@anuragpathak2608
Copy link

@papaiatis
@ziluvatar
Requesting new token from client-side in your case Angularjs will cause swquirty issue.
If your token gets leaked your application may get compromised completely.
And if we provide the functionality to the client to request fresh token it will allow an attacker to use the token for an indefinite time. And this will make the exp value of 2hours in token useless.

From security perspective, the token should be pushed from the server site instead of client-side to
so that if your valid token gets leaked attacker can not use the same token for more than exp time here it is 2 hrs.

I'm not sure how can we do it as it will conflict with the stateless property of JWT.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants