I have a project with NodeJS with jwt for managing user authentication. After a period of time, my app stops working and my server prints the following:
return done(new TokenExpiredError('jwt expired', new Date(payload.exp * 1000))); ^ TokenExpiredError: jwt expired
Now, the person who was working in this project before me had this code for managing the tokens:
static generateToken(username, type, id) { return jwt.sign( { username, type, id }, API_SECRET, { expiresIn: '7d' } ); } static generateRefreshToken(username, type, id) { return jwt.sign( { username, type, id }, API_SECRET_REFRESH, { expiresIn: '30d' } ); }
My guess is that the issue is the expiresIn: '7d'
(since I’m quite new with jwt). I also know what we can omit the expiresIn
field to make the token not expire at all. My question is: Is it safe to omit said field or there’s another way to tackle this kind of error message? Since every time that message pops up, I have th delete the entire browsing history of my browser (or run my project in incognito mode) in order for it to start working again.
Advertisement
Answer
You should not create a token that does not expire. So, you should keep the expiresIn
config.
That being said, you don’t have to use refresh token
strategy. There are a lot of ways to handle this. For example, you can do the following:
- Create
/check-token
endpoint that will check if the current token is still valid. - Create token when user logs in. Token will be valid for 7 days for example.
- Each time user opens your application call the
/check-token
endpoint. If current token is not valid, logout the user. If current token is valid, generate new token that will be valid for another 7 days and continue to authenticate the user with new token.