怪我咯2017-04-17 14:54:44
1. First of all, you need to know the functions of koa-jwt
. Currently, only the functions of decode
, sign
and verify
are provided. You said that the token
expired koa-jwt
module does not provide special functions. verify.
2. How to tell if token
has expired? Let me briefly introduce jwt
to you first, and then teach you how to determine expiration.
2.1 jwt
Introduction
JSON Web Token(jwt
) In web pages, many operations require verifying user permissions, determining whether the user is logged in, etc. There are generally two implementation methods: one is through session
and cookie
; the other is to use authentication token
. There are two main advantages to using token
for authentication.
The server does not need to request the DB to obtain user information, because the user information is already stored in the token.
The token authentication method is equally applicable to mobile terminals and PC terminals, and the server does not need to maintain two sets of authentication mechanisms.
A standard jwt is composed of 3 parts <header>
, <payload>
and <signature>
Header: base64 encoded json object, including the encryption algorithm used, etc.
Payload: base64 encoded json object, which stores user-related information.
Signature: A signature string generated based on Header, PayloadA and a key (known only to the server), using the encryption algorithm specified in the Header.
2.2 How to judge failure
There are many ways to determine when a token has expired. I will list a few here for you to choose from
jwt provides expiration parameter settings. When issuing a token (when koa-jwt calls sign), set the exp
attribute in the Payload. This is the Registered Claims
provided by jwt (reserved Statement), remember it must be greater than the current time, for example, set to expire 10 minutes after the current time
{
exp: Date.now()+10*60*1000,
}
Then you can 持久化
store it in your localstorage, sessionStorage or cookie. This token is passed to the server through the request, and will be reported during verification (when calling koa-jwt's verify) TokenExpiredError
Thrown error if the token is expired.
Error object:
- name: 'TokenExpiredError'
- message: 'jwt expired'
- expiredAt: [ExpDate]
After the server generates the token, you can save the token in the cookie (or sessionStorage) in the return of the request, and then set the expiration time of the cookie expire
, so that next time you request When the token cannot be obtained in the header
or body
of the request, you will know that the token has expired (similar to the code you provided, but remember to set the expiration time of the cookie that stores the token).
Customize attributes similar to exp
, because exp
is a reserved attribute, so you can set a time when origin-iat
was last issued, and then store it persistently. After detaching the token, determine the current Does the time difference between the time and origin-iat
reach your expiration time? If it reaches it, you will need to re-authenticate and re-issue the token. The pseudo code is as follows
var profile = jwt.verify(req.header.token || req.body.token, secret);
// if more than 7 days old, force login
if (Date().now() - profile.original_iat > 7 * 24 * 60 * 60 * 1000) { // iat == issued at
return res.status(401).json({ isError: true, error: { message: 'Access Forbidden'}}); // re-logging
}
The difference between the several methods is: The first and third methods can always get the token through request, but the token may expire. The second way is that the token may not be obtained through the request. It's up to you to make the appropriate choice based on your business needs.
Attachment: JSON Web Token Specification RFC 7519