How to expire JWT token on logout from the app or website?. It is an important question for node js programmers who are using the JWT library to generate an authentication token.
JSON Web Tokens
JWT (JSON Web Tokens) provides a way to handle user authentication in a stateless way. What does that mean? Alright, It helps to manage authentication in any storage without storing the authentication state, whether it be a session or a database. Therefore you do not need to access the session or perform a database query while verifying the user’s authentication status. Instead, you create a token based on the user payload of your choice and use it to identify the user on the server in client-side requests.
So, basically, once a token is created, it can be used permanently, or until it is expired. After specified time, JWT generator can get an option to invalidate the token.
So what should you do if you wish to invalidate an existing token? What should you do when the user decides to sign out or let’s say change password?
Expire JWT token on logout
Okay, so normally the client side stores the token somewhere while using JWT authentication, and attaches it to any request that needs authentication. Thus, the first thing to do when logging out is simply delete the token that you saved on the client (i.e. local storage browser). In that case, the client does not have a token to put in the request, thus causing unauthorized status of response. But still does that be enough? Anyway, the specific client (browser, app) will no longer be authenticated, but the token still exists somewhere, and is still valid! If someone has copied the token from the request he / she would still be able to make requests on the user’s behalf!.
Actually, JWT serves a different purpose than a session and it is not possible to forcefully delete or invalidate an existing token.
Can token expire?
Yeah, the tokens can be expired. but, you can’t do that on demand.
You can pass an expiry time when signing a user payload for a JWT. You need to provide it as a field called exp in the payload like below:
2 3 4 5 6 7 8 9 |
{ "userid": "1234567890", "username": "Tutorials Website", "iat": 1516234022, "exp": 1516239022 } |
In the above example, the iat field here stands for “issued at”. This token is set to expire 5 seconds after it was issued. The expiration field takes number of milliseconds since the start of Unix epoch.
If you don’t want to have forever valid tokens, you should always set a reasonable expiration time on you JWT.
For a NodeJS app the code should look something like this:
2 3 4 5 6 7 8 9 10 11 12 13 |
const jwt = require('jsonwebtoken'); const payload = { "userid": "1234567890", "username": "Tutorials Website", "iat": 1516234022, "iat": 1516234022 } const token = jwt.sign(payload, 'your-secret', {expiresIn: '1d'}) |
Here, We will go with one day tokens and generate them in our login action.
So, with this example, all users will be automatically logged out after 1 day of using your app.
Note: If you are using one of the JWT libraries, then most likely you can also pass an expiration time in the signing method options.
“Awesome, but I still want to log out!”
Well, As mentioned above, after a token has been generated, you can not manually expire. You can not log out on the server side with JWT.
If you want to restrict the usage of a token when a user logs out. simply follow these 4 bullet points:
- Set a reasonable expiration time on tokens
- Delete the stored token from client-side upon log out
- Have DB of no longer active tokens that still have some time to live
- Query provided token against The Blacklist on every authorized request
Conclusion
As you know, JWT is stateless, which means you can store everything you need in the payload and skip executing a DB query on every request. So if you’re trying to provide a strict log-out functionality, that can’t wait for the auto-expiration token, even though you’ve cleaned the token from the client-side, then you might need to ignore the stateless logic and do some queries.
Are you looking for website Designer and developer in delhi, India?
Pradeep Maurya is the Professional Web Developer & Designer and the Founder of “Tutorials website”. He lives in Delhi and loves to be a self-dependent person. As an owner, he is trying his best to improve this platform day by day. His passion, dedication and quick decision making ability to stand apart from others. He’s an avid blogger and writes on the publications like Dzone, e27.co