Destroy a JWT token

Question

Destroy a JWT token

Navigation

#1 by (3 votes)
#2 by (0 votes)

0

Good, does anyone know how it is possible to destroy a token in NodeJS? I'm pressing JWT to do a reset password, then I send a url to the user with a token, the system checks the token using jwt.verify() and if it is correct it performs the update of the password, the problem is that this token remains active say since it has a duration of 1h, and to give you more security I would not like this token to be there being valid for 1h, so what I want to do is destroy the token which I have after doing the password update so that only can be used once. How can this be done with jwt?

nodejs jwt

asked by Santiago D'Antuoni 31.01.2017 в 22:44

source

2 answers

0

According to this comment, he wants that token to update the password only once. And depending on what I know about JWT, I have not seen the way to "destroy" a token. For my consideration, you should use some additional information in your token or from your server to do an additional validation, indicating that the token can no longer be used a second time.

answered by 18.12.2018 в 14:12

Update records using PDO Avoid viewing a page without going through index.php

score 3 · Accepted Answer

A JWT token can not be revoked . JWT is used mainly for authentication of a system, not as an identifier of some process. You can do your thing in two ways:

Generating a record in a table with a field that represents the date when the password restoration was requested.

Generating a token with an expiration date and, when updating your password, deleting the token.

Using a table

The following example is using sequelize and moment :

let email = req.params.email;
let now = Date.now();
models.RecoveryPwd.create({ email, now });

When you enter a password restoration request, check if the deadline has expired:

models.RecoveryPwd.findOne({
  email: req.params.email,
  state: 'active'
 })
 .then((request) => {
   if (request) {
     let now = moment();
     let requestTime = moment(request.date);

     if (now.diff(requestTime, 'days') >= 1) {
       res.jsonp({
         success: false,
         message: 'El tiempo límite ha expirado. Intente de nuevo'
       });
     } else {
       res.jsonp({ success: true });
     }
   }
 });

Using a token

Using a token is similar, when the password restoration request is made, you generate the token with a maximum time.

jwt.sign(
  {
    email // guardamos el email en el token
  },
  'supersecreto',
  {
    expiresIn: '1d' // tiempo máximo 1d
  }
);

This token is saved in sessionStorage :

sessionStorage.setItem('pwdRecovery', token);

And when the recovery button is clicked, the request is sent to the frontend to send the request to the backend sending the token.

fetch('/url', {
  body: sessionStorage.getItem('pwdRecovery');
})
.then((res) => res.json())
.then(({ success, email }) => {
  if(success) {
    window.location = '/recovery/{email}';
  } else {
    alert(res.message);
  }
});

Upon receiving the backend the token, it is checked if it has not yet expired:

let token = req.body.token;

try {
  let decode = jwt.verify(token);

  res.jsonp({
    success: true,
    email: decode.email
  });
} catch(e) {
   // expiró
   res.jsonp({
     success: false,
     message: 'El tiempo límite ha expirado. Intente de nuevo'
   });
}

At the end of this process, if the token has not expired it will be redirected to: http://tuapp.com/[email protected] , where you must put a form to update the password and send the query email .

It should be noted that the token must be removed from sessionStorage if it has already expired or if the password has already been changed.