javascript – 节点js,JWT令牌和后面的逻辑
内容导读
互联网集市收集整理的这篇技术教程文章主要介绍了javascript – 节点js,JWT令牌和后面的逻辑,小编现在分享给大家,供广大互联网技能从业者学习和参考。文章包含2719字,纯文字阅读大概需要4分钟。
内容图文
![javascript – 节点js,JWT令牌和后面的逻辑](/upload/InfoBanner/zyjiaocheng/702/ed91a5d9f2c542ad9f2e61eb49232dc4.jpg)
我正在使用JWT来保护节点js urls https://github.com/auth0/express-jwt
要创建JWT令牌用户会话,我只需:
-> auth/signup
-> jwt.sign(user_profile,secret,expireInMinutes:{900000000 /*almost never expires*/});
或者在登录电话的情况下
-> auth/login
-> jwt.sign(user_profile,secret,expireInMinutes:{900000000 /*almost never expires*/});
每次调用受保护的URL时,我都会检查由JWT中间件自动设置的req.user.
现在我想知道:
1 – 调用sign()时JWT令牌存储在哪里?
2 – 每次调用受保护的URL时,我是否必须验证()令牌?如果是,为什么?
3 – 当我为已经签名的用户设置新令牌时,旧令牌(如果存在)会被删除吗?如果未设置到期或例如5年后该怎么办?
4 – 为什么我不能在同一浏览器/应用页面上设置新令牌?
如果我注册一个新令牌但令牌匹配(我已选中),我会收到无效的签名错误
这就像我不能在同一个浏览器上签署多个用户
解决方法:
您必须已经使用之前其他用户的回复找出了所有先前问题的答案,但我会尝试为其他人清除一些问题:
1 – 调用sign()时JWT令牌存储在哪里?
When you call sign, the signed token is not stored anywhere, it is
returned by the sign function, then you have to send it to the client
so that in can be stored on the client side. (e.g. session storage,
local storage or cookie)
2 – 每次调用受保护的URL时,我是否必须验证()令牌?如果是,为什么?
Yes you do. The idea is once the client has the token, they will send
the token to the server each time they make a request. The token is
processed by the server to determine whether a particular client has
been authenticated already.
3 – 当我为已经签名的用户设置新令牌时,旧令牌(如果存在)会被删除吗?如果未设置到期或例如5年后该怎么办?
Slightly related to the answer on point 1. Calling the sign function
will just generate another token. The expiration of the token is
stored within the signed token itself. So each time the server gets a token
from the client, it checks the expiration as part of the token
verification. Its important to note that the signed token is just the
“user_profile” object that you passed in as a parameter during the
signing, plus extra fields like the expiration date which are added to
that object.So a client can have multiple tokens stored on the client side. They
will all be valid as long as they have not yet expired. However, the
idea is to only send a token to the client when they have been
authenticated again after the old one has expired.
4 – 为什么我不能在同一浏览器/应用页面上设置新令牌?如果我注册一个新令牌但令牌匹配(我已检查),我会收到无效的签名错误这就像我不能在同一个浏览器上签署多个用户
The idea is to have 1 user per browser. Since in this case the browser
is the client. I cannot think of use cases where you would need to
have multiple users per browser/client so you were obviously doing
something wrong. That’s not to say its impossible to send multiple
tokens to the same browser/client.
内容总结
以上是互联网集市为您收集整理的javascript – 节点js,JWT令牌和后面的逻辑全部内容,希望文章能够帮你解决javascript – 节点js,JWT令牌和后面的逻辑所遇到的程序开发问题。 如果觉得互联网集市技术教程内容还不错,欢迎将互联网集市网站推荐给程序员好友。
内容备注
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 gblab@vip.qq.com 举报,一经查实,本站将立刻删除。
内容手机端
扫描二维码推送至手机访问。