问题描述
我正在使用 JWT 创建一个 node.js 后端应用程序.对我来说,要求很简单,授权令牌不应该有任何到期时间.但是当用户更改密码时,我在使 JWT 失效时遇到问题.
Am creating a node.js backend app using JWT. For me the requirement is simple, that the authorization token shouldn't have any expiry time. But I am facing problem during invalidating JWT When user changes his password.
当用户更改密码时,我将创建一个新的 JWT Token,并删除旧的令牌,但用户仍然可以使用他的旧 JWT 令牌(来自其他登录的设备)并可以访问应用程序.
When user changes his password, I will create a new JWT Token, and delete the old token, but still the user can use his old JWT token (from other logged in devices) and can access the application.
那么谁能告诉我如何避免这种情况?
So can anyone tell me how to avoid this scenario?
推荐答案
对我来说似乎是一个熟悉的问题,我已经回答了类似的问题 使 JWT 令牌无效的最佳实践.
Looks like a familiar question to me, I have already answered the similar question Best practices to Invalidate a JWT Token .
所以解决你的问题的步骤如下,
So the steps for solving ur problem as follows,
当用户登录时,在他的用户数据库中创建一个没有过期时间的登录令牌.
when user login, create a login token in his user database with no expiry time.
因此,在使 JWT 无效时,请按照以下步骤操作,
Hence while invalidating a JWT, follow the below steps,
- 检索用户信息并检查令牌是否在他的用户数据库中.如果允许.
- 当用户注销时,仅从他的用户数据库中删除此令牌.
- 当用户更改密码时,从他的用户数据库中删除所有令牌并要求他再次登录.
所以基本上你需要将令牌存储在用户的数据库中并在失效时使用它.简单:)
So basically you need to store tokens in user's database and make use of it while invalidating. Simple :)
这篇关于如何使没有到期时间的 JWT 令牌无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!