Js: Refresh and Acess Token logic [closed]
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed yesterday.
I am trying to make an authentication system with refresh token, auth token and put the tokens in a blacklist when expired and / or when it is logged out.
I have a login route, where I will generate the access token, and check if there is a refresh token with a certain sub, if not, I will create this token and add it to the redis:
helpers functions:
export const getRedisKey = async(key) => {
return new Promise((resolve,reject) => {
redis.get(refreshToken.matricula, (err, data) => {
if (err) reject(err);
if (data !== refreshToken) reject(new Error(`Invalid Token`));
resolve(data);
});
})
}
export const encode = (args, secret, options) => {
return jwt.sign(args, secret, options);
};
export const decode = (args, secret) => {
const decoded = jwt.verify(args, secret);
if (!decoded) {
throw new Error("Invalid Token");
}
return decoded;
};
export const isTokenExpired = (decodedToken) => {
if (typeof decodedToken.exp !== 'undefined' && decodedToken.exp < now) {
throw new Error(`token expired: ${JSON.stringify(decodedToken)}`);
}
if (typeof decodedToken.nbf !== 'undefined' && decodedToken.nbf > now) {
throw new Error(`token expired: ${JSON.stringify(decodedToken)}`);
}
return decodedToken;
};
export const getAcessToken = (
props,
payload,
) => {
if (!authConfig.secret) throw new Error(`Invalid public key`);
const token = encode(payload, authConfig.Authsecret, {
subject: props.sub,
expiresIn: authConfig.tokenExpiryTimeInSeconds,
});
return token;
};
export const getRefreshToken = async (matricula) => {
if (!authConfig.secret) throw new Error(`Invalid public key`);
const hasValidRefresh = await this.getRedisKey(matricula)
if(isTokenExpired(hasValidRefresh)) return hasValidRefresh
const refreshToken = encode({}, authConfig.Refreshsecret, { expiresIn: '30d' });
const redis = container
.resolve('bootstrap')
.getRedisServer()
.getClient();
return new Promise((resolve,reject) => {
redis.set(matricula, refreshToken, 'EX', 720 * 60 * 60, (err,result) => {
if(err) reject (err)
resolve(refreshToken)
})
})
};
endpoint:
app.post('/login', function (req, res) {
const user = { matricula: 1 }
const accessToken = await getAcessToken(user.matricula)
const refreshToken = await getRefreshToken(user.matricula)
if(!acessToken) return res.status(403).json({message:'Invalid Acess Token'})
if(!refreshToken) return res.status(403).json({message:'Invalid Acess Token'})
return res.status(200).json({acessToken,refreshToken,user})
})
I would like to know if doing this at login compromises security, or is it a logical failure? Why I thought: if a refresh token already exists and it is valid, there is no reason to create another one. Or when logging in should I create a new refresh token, and remove the old token to a blacklist? Could anyone help me with this? I have doubts about how my blacklist could be.
-
03:20
how to make req.query only accepts date format like yyyy-mm-dd
-
03:00
-
01:40
-
9:50
Start Application class A from different Application class B in same Android bundle
-
9:40
-
8:00
-
06:40
How can I get data for select box and set the data while using searching?
-
9:00
Is it possible to log the bytes which a server sends? [closed]
-
6:40
- search for elements in a list 102444 visits
- typescript: tsc is not recognized as an internal or external command, operable program or batch file 96776 visits
- In Chrome 55, prevent showing Download button for HTML 5 video 93176 visits
- RxJS5 - error - TypeError: You provided an invalid object where a stream was expected 90584 visits
- Ionic 2 - how to make ion-button with icon and text on two lines? 87416 visits
- NetBeans IDE - ClassNotFoundException: net.ucanaccess.jdbc.UcanaccessDriver 55609 visits
- Adding methods to es6 child class 19927 visits
