問題描述
我正在使用 JWT 創建一個 node.js 后端應用程序.對我來說,要求很簡單,授權令牌不應該有任何到期時間.但是當用戶更改密碼時,我在使 JWT 失效時遇到問題.
Am creating a node.js backend app using JWT. For me the requirement is simple, that the authorization token shouldn't have any expiry time. But I am facing problem during invalidating JWT When user changes his password.
當用戶更改密碼時,我將創建一個新的 JWT Token,并刪除舊的令牌,但用戶仍然可以使用他的舊 JWT 令牌(來自其他登錄的設備)并可以訪問應用程序.
When user changes his password, I will create a new JWT Token, and delete the old token, but still the user can use his old JWT token (from other logged in devices) and can access the application.
那么誰能告訴我如何避免這種情況?
So can anyone tell me how to avoid this scenario?
推薦答案
對我來說似乎是一個熟悉的問題,我已經回答了類似的問題 使 JWT 令牌無效的最佳實踐.
Looks like a familiar question to me, I have already answered the similar question Best practices to Invalidate a JWT Token .
所以解決你的問題的步驟如下,
So the steps for solving ur problem as follows,
當用戶登錄時,在他的用戶數據庫中創建一個沒有過期時間的登錄令牌.
when user login, create a login token in his user database with no expiry time.
因此,在使 JWT 無效時,請按照以下步驟操作,
Hence while invalidating a JWT, follow the below steps,
- 檢索用戶信息并檢查令牌是否在他的用戶數據庫中.如果允許.
- 當用戶注銷時,僅從他的用戶數據庫中刪除此令牌.
- 當用戶更改密碼時,從他的用戶數據庫中刪除所有令牌并要求他再次登錄.
所以基本上你需要將令牌存儲在用戶的數據庫中并在失效時使用它.簡單:)
So basically you need to store tokens in user's database and make use of it while invalidating. Simple :)
這篇關于如何使沒有到期時間的 JWT 令牌無效的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!