Refresh token

[matiux]

Any ideas of how to implement the refresh token?

Seems nobody has written nothing...

[jfromaniello]

http://stackoverflow.com/questions/26739167/jwt-json-web-token-automatic-prolongation-of-expiration

[matiux]

OK thanks.

But some example of how to implement with node-jsonwebtoken?

[Sean-Wang]

+1

[nnur]

+1

[nnur]

is there a way to reissue the same token but just change the expiry date?

[morgondag]

kinda same as #133 but is there any official support to refresh a token?
Right now I validate the token and user data and then sends a new one to the client if it has expired,
but would rather just update the existing token.

    jwt.updateToken(token, data)

[mateeyow]

@morgondag I think your implementation is very dangerous since you are not assigning any expiration time to the token. It means that if some hacker gets the token, he/she can access your API indefinitely.

[morgondag]

@mateeyow sounds good, so what we are asking for is a way to update a token.
nothing is saying that we are nit doing any form of validation on it beforehand.

So there is no real way to update a token or change it expiry date without generating a new key.

I guess the best way is simply to force to user to login again and again and again :-/

[bookercodes]

I am also having trouble finding good information on:

• How to implement refresh tokens server-side
• A sensible strategy to refresh tokens on the client-side

[procedurallygenerated]

+1

[morgondag]

any progress?

[umair321]

you can verify user using previous token, then generate a new one for that user. Like:

 jsonwebtoken.verify(token, mySecret, function (err, user) {
            if (err) {
                return res.json(err);
            }
            if (user.id)
              res.json({
newToken: jwToken.issue({
                        id: user.id
                    })
});

        });

[jppellerin]

This is what I ended up doing on my end. My token is already verified by the time I hit my refresh function.

static refreshToken = (token): string => {
    let optionKeys = ['iat', 'exp', 'iss', 'sub'];
    let newToken;
    let obj = {};

    let now = Math.floor(Date.now()/1000);
    let timeToExpire = (token['exp'] - now);

    if (timeToExpire < (60 * 60)) { //1h
        for (let key in token) {
            if (optionKeys.indexOf(key) === -1) {
                obj[key] = token[key];
            }
        }

        let options = {
            expiresIn: '7 days',
            issuer: 'moi',
            subject: token.sub,
            algorithm: 'HS256'
        };

        newToken = JWT.sign(obj, Config.get('/jwtSecret'), options);
    }
    else {
        newToken = '';  //no need to refresh, do what you want here.
    }

    return newToken;
}

I don't refresh the token if it still has enough time to live. This may or may not be necessary, but saving a bit of calculation when not necessary.

Written in TypeScript, but the logic is the same. Should be generic enough to be used in many different circumstances.

[morgondag]

@jppellerin nice! would be nice to have that in the jwt api with a pull request <3

[jppellerin]

There's an idea... started working on it...