Multiple Issues in JWT while using in ExpressJs

Question

I am using Express Js along with jsonwebtoken with version ^7.4.1.

Issues:

How to differentiate expired & invalid token
How to use refresh tokens along with JWT
When I verify the JWT token which is created by express js is always invalid, but when the same data is used to create a token in jwt.io is valid. Am I missing anything? Below is the link for that
- https://jwt.io/#debugger?&id_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6Im1tQGcuY29tIiwiYWRtaW4iOnRydWUsInRpbWUiOiIyMDE3LTEwLTAxVDA0OjU1OjQyLjM2MFoiLCJpYXQiOjE1MDY4MzM3NDIsImV4cCI6MTUwNjgzMzc1Mn0.VqlogOWRfGgTN3xN8Gs3Ivk1gZXMr_aiKZzTxN0EgNE (invalid token)
- https://jwt.io/#debugger?&id_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6Im1tQGcuY29tIiwiYWRtaW4iOnRydWUsInRpbWUiOiIyMDE3LTEwLTAxVDA0OjU1OjQyLjM2MFoiLCJpYXQiOjE1MDY4MzM3NDIsImV4cCI6MTUwNjgzMzc1Mn0.M5pj4znpn-_6-jqsqVm2BWGEZTyMBNy2D6VdNejbsI0 (valid token)
- Code to generate JWT token return jwt.sign(user, config.secretKey, { expiresIn: 10 //Time to expire token in seconds. });

score 0 · Accepted Answer · answered Oct 02 '17 at 10:26

0

for the client there's no difference, he'll get 401 in both cases. On server-side you would verify the signature. and the exp field.
see my answer at: Should I explicitly send the Refresh Token to get a new Access Token - JWT
this is a common question from useres trying to verify tokens on jwt.io. You have to paste the contents of config.secretKey to the edit field in the 'Verify Signature' part of table in the 'Decoded' column. In the second case the secret is 'secret', the default setting on jwt.io. If you have a different secret, as in your first case, jwt.io doesn't know it and therefore can't verify it.

answered Oct 02 '17 at 10:26

jps

20,041
15
75
79

1) How to verify the token on server-side? 2) How to use refresh tokens along with JWT? I mean how to generate refresh tokens and how to verify them and send new access token. 3) Now, this is correct. – Rohith Oct 02 '17 at 12:40
1) probably jwt.verify(...) , check the documentation of your framework, I'm not working with node.js and express here. Basically you do the same thing as jwt.io: check if the signature matches. 2) maybe this helps: https://stackoverflow.com/questions/26580213/implementing-refresh-tokens-with-angular-and-express-jwt – jps Oct 02 '17 at 13:40
Can I use another JWT token as refresh token? with more expire time. Validate this refresh token and send new access token. – Rohith Oct 02 '17 at 14:05
Basically you can implement your token and refresh token handling as you like it, but usually the refresh token is not a jwt. Better rely on what the framework offers. – jps Oct 02 '17 at 15:56
I am not sure about the refresh token offered by `jwt` in `nodejs`, I have visited the link which you have posted, but it doesn't describe `refresh tokens` implementation. That is the correct link? – Rohith Oct 02 '17 at 17:42
as mentioned before, I'm not using node.js and express, therefore I can't say much about the implementation and would have to google it myself. But this is already beyond the scope of the original question. Usually here on SO it should be one question at a time. Please accept the answer above as it answers your original question and create a new one about how to implement refresh tokens in nodes.js, if you can't find this answered here on SO. – jps Oct 03 '17 at 11:47

Multiple Issues in JWT while using in ExpressJs

1 Answers1