0

I am creating a Node js / Express js based, login registration system using JWT (i am using JSONWEBTOKEN npm library).

Whenever a user login, that user gets a pair of access and refresh token. Now for accessing resources user need to send access token to backend.

Now when i verify the access token send by user to backend and if it will not get verified then it produces three types of error (as mentioned is JSONWEBTOKEN library in npm):

  1. Token Expired Error: If i get this error, then in that case i will send response to frontend to send the request to refresh token route to get a new pair of access and refresh token.

  2. JsonWebTokenError: If i get this error then it means that access token is malformed. Then in this case what should i do? Should i logout a user or should i will send a response to frontend to send request to refresh token route to get a new pair of access and refresh token. <-- This is the main question should i logout a user?

  3. NotBeforeError: Since i am not using nbf claim and then in that case i dont need to worry about it.

Please provide your useful suggestion. while building backend security plays an important role.

James Z
  • 12,209
  • 10
  • 24
  • 44
Study Planet
  • 153
  • 1
  • 7

3 Answers3

0

This is useful to read: JWT refresh token flow.

Talking short, you should logout user if refresh token malformed or expired.

According to JWT idea, access token is short-life token. When it doesn't pass validation due to malformed or expired you have to send refresh token to server to get new pair. User continues to work using new access token without interruption.

Altair1908
  • 26
  • 1
  • 3
0

If JWT is malformed then just block that call by responding with 403. that's fine. The application then takes the decision on it to refresh the token or not.

When a user logs out please revoke the issued token even if it is a JWT. JWT also needs to be revoked as best practice. Yes, JWTs are self tokens and expirations already part of themselves. But if user logs out and still their JWTs are not expired means someone can use that token to call different APIs. So it is a security breach.

To avoid such things we should maintain JTI claim of that JWT in our backend with the same TTL with the value of JWT "exp". When the user logs out we have to clear those JTIs and notifcy the API callers about this just putting into some event service from their API Gateways should get to be notified and clear their side cached tokens if anything and cross check with identity system (Introspection).

This is we have to design the system to avoid further security related issues.

Hakuna Matata
  • 755
  • 3
  • 13
  • Whenever a user logs in then refresh token is send to them in http only secure cookies and in backend i store that refresh token as value and user id of that user as key in redis having a particular ttl . If a user wants to logout then simply i will delete that key value pair from redis and in front end i will also remove refresh token cookie . – Study Planet Sep 29 '22 at 05:39
  • If access token is invalid or malformed then in that case , i think we need to simply send response to frontend to send request to refresh token route to get a new pair of access and refresh token that's it . However if refresh token is malformed or invalid then simply we should logout user . – Study Planet Sep 29 '22 at 05:41
  • 401 status code seems better to me – Spomky-Labs Sep 29 '22 at 06:17
  • It should be 403. Not 401. 401 is meant for unauthorized (Authorization) not the authentication related. Here user token is malformed or expired so we should throw them to login page with 403 only. 401 is used when the user doesn't have enough permission todo something in the application. – Hakuna Matata Sep 30 '22 at 09:14
0

First thing is that user will be logged out from front end side.

front end will send request to your node server and token will be verified. Server will only send the response that token is expired or malformed and based on that front end will perform the action.

If token is expired then request for new token.

Is token is malformed then based on your requirements you can show results to your end user. You can either logout user or you can show unauthorized page too.

Suppose, you have role based website and some unauthorized user is trying to access root level routes then you can show unauthorized page.

Drashti Kheni
  • 1,065
  • 9
  • 23