Node js、JWT 令牌和背后的逻辑

2022-01-10 00:00:00 jwt node.js express javascript express-jwt

我正在使用 JWT 保护节点 js url https://github.com/auth0/express-jwt

I'm using the JWT to protect node js urls https://github.com/auth0/express-jwt

要创建 JWT 令牌用户会话,我只需这样做:

To create a JWT token user session i simply do:

-> auth/signup
    -> jwt.sign(user_profile,secret,expireInMinutes:{900000000 /*almost never expires*/});

OR 在登录调用的情况下

OR in case of login call

 -> auth/login
        -> jwt.sign(user_profile,secret,expireInMinutes:{900000000 /*almost never expires*/});

每次调用受保护的 url 时,我都会检查 JWT 中间件自动设置的 req.user.

Every time a protected url is called i check for req.user that is set up automatically by the JWT middleware.

现在我想知道:

1 - 调用 sign() 时 JWT 令牌存储在哪里?

1 - where does JWT tokens are stored when calling sign() ?

2 - 每次调用受保护的 url 时我都必须验证()令牌吗?如果是,为什么?

2 - do i have to verify() the token every time a protected url is called? if yes why?

3 - 当我为已签名的用户设置新令牌时,旧令牌(如果存在)会被删除吗?如果没有设置到期时间或者例如是 5 年怎么办?

3 - When i set a new token for an already signed user does the old token (if exists) gets deleted ? What if the expiration is not been set up or is 5 years for example?

4 - 为什么我不能在同一浏览器/应用程序页面上设置新令牌?如果我注册一个新令牌但令牌匹配(我检查过),我会收到无效签名错误这就像我不能在同一个浏览器上登录超过 1 个用户

4 - Why can't I set new tokens on same browser/app page ? I get invalid signature error if i register a new token but the token matches (i checked) It's like I can't signin more than 1 user on same browser

推荐答案

您一定已经通过其他用户的回复找到了您之前所有问题的答案,但我会尝试澄清一下其他人也是:

You must have already figured out the answers to all your previous questions using the previous responses from the other users, but I will try to clear things up a bit for others too:

1 - 调用 sign() 时 JWT 令牌存储在哪里?

1 - where does JWT tokens are stored when calling sign() ?

当你呼号时,签名的令牌不会存储在任何地方,它是由sign函数返回,然后你必须将它发送给客户端以便 in 可以存储在客户端.(例如会话存储,本地存储或cookie)

When you call sign, the signed token is not stored anywhere, it is returned by the sign function, then you have to send it to the client so that in can be stored on the client side. (e.g. session storage, local storage or cookie)

2 - 每次调用受保护的 url 时我都必须验证()令牌吗?如果是,为什么?

2 - do i have to verify() the token everytime a protected url is called? if yes why?

是的,你知道.这个想法是一旦客户拥有令牌,他们将发送每次他们发出请求时向服务器发送令牌.令牌是由服务器处理以确定特定客户端是否具有已经通过身份验证了.

Yes you do. The idea is once the client has the token, they will send the token to the server each time they make a request. The token is processed by the server to determine whether a particular client has been authenticated already.

3 - 当我为已签名的用户设置新令牌时,旧令牌(如果存在)会被删除吗?如果到期未设置或例如为 5 年怎么办?

3 - When i set a new token for an already signed user does the old token (if exists) gets deleted ? What if the expiration is not setted up or is 5 years for example?

与第1点的答案略有相关.调用sign函数只会生成另一个令牌.令牌的到期时间是存储在签名令牌本身中.所以每次服务器得到一个令牌从客户端,它检查过期作为令牌的一部分确认.重要的是要注意签名的令牌只是user_profile"对象作为参数传入签名,加上额外的字段,如添加到的到期日期那个对象.

Slightly related to the answer on point 1. Calling the sign function will just generate another token. The expiration of the token is stored within the signed token itself. So each time the server gets a token from the client, it checks the expiration as part of the token verification. Its important to note that the signed token is just the "user_profile" object that you passed in as a parameter during the signing, plus extra fields like the expiration date which are added to that object.

因此,客户端可以在客户端存储多个令牌.他们只要它们还没有过期,它们都将是有效的.但是,那想法是仅在客户端发送令牌时才向客户端发送令牌在旧的过期后再次进行身份验证.

So a client can have multiple tokens stored on the client side. They will all be valid as long as they have not yet expired. However, the idea is to only send a token to the client when they have been authenticated again after the old one has expired.

4 - 为什么我不能在同一浏览器/应用程序页面上设置新令牌?如果我注册一个新令牌但令牌匹配(我检查过),我会收到无效签名错误这就像我不能在同一个浏览器上登录超过 1 个用户

4 - Why i can't set new tokens on same browser/app page ? I get invalid signature error if i register a new token but the token matches (i checked) It's like i can't signin more than 1 user on same browser

我们的想法是每个浏览器有 1 个用户.因为在这种情况下浏览器是客户.我想不出你需要的用例每个浏览器/客户端有多个用户,所以你显然在做有事吗.这并不是说不可能发送多个令牌到同一个浏览器/客户端.

The idea is to have 1 user per browser. Since in this case the browser is the client. I cannot think of use cases where you would need to have multiple users per browser/client so you were obviously doing something wrong. That's not to say its impossible to send multiple tokens to the same browser/client.

相关文章