0

I am creating a jwt token and refresh token as follows

token = jwt.sign(
        { username: req.body.username },
        "Secret-token”,
        { expiresIn: 60 }
      );

refreshToken = jwt.sign(
       { username: req.body.username },
        "some-secret-refresh-token",
        { expiresIn: "3h" }
      );

And I can even verify the token received from the user with the following code

jwt.verify(token, "Secret-token", function(err, decoded) {
….
})

I store only the secret passphrase in auth/config.js. This is all I store. So, what is the need of storing token and refresh token in database, cookie, array etc. Since, I am able to decode the token with verify so why do we need to store. I am not matching or comparing the token with any stored token.

I can even check whether the token has expired or not using the following code

instanceof TokenExpiredError

Any clarification in this area would be highly appreciated. Thanks in advance!

Jay
  • 744
  • 4
  • 14
  • 30
  • 2
    Who says you need to store JWT server-side? See [Where are JWT tokens stored on the server](https://stackoverflow.com/questions/33448044/where-are-jwt-tokens-stored-on-the-server-and-other-related-questions). Also, see [invalidating JWT](https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens). – jarmod Jul 26 '22 at 15:37

1 Answers1

1

The client (user) which is authenticating to the server needs to store the JWT, not the server. If you are the server issuing the JWTs then as you said there is no reason to store the created JWTs. However, if you are a user of the JWT, you need to use that token to authenticate with the server and potentially refresh it if it expires.

I'm not sure if this is the case you are mentioning but one case where a server may need to store JWTs is if the server is actually a client of another service. In this case, you don't know the secret token and are more like a user. Thus, you would still need to store the JWTs on the server.

Jimmy
  • 85
  • 1
  • 2
  • 8
  • (1) This is a REST API which means it is serving other users. Here you see the tokens are being stored in array object “tokenlist” - https://codeforgeek.com/refresh-token-jwt-nodejs-authentication/ (2) This is also an Authentication server, storing Token in MySQL DB - https://www.bezkoder.com/jwt-refresh-token-node-js/ There are plenty more. Anyways - thanks for your prompt reply. – Jay Jul 27 '22 at 07:01