Invalidating JSON Web Tokens

前端未结

关注

 28  2398

夕颜 2020-11-22 06:17

For a new node.js project I\'m working on, I\'m thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store conta

28条回答

伪装坚强ぢ (楼主)

2020-11-22 07:08
Unique per user string, and global string hashed together
to serve as the JWT secret portion allow both individual and global token invalidation. Maximum flexibility at the cost of a db lookup/read during request auth. Also easy to cache as well, since they are seldom changing.

Here's an example:
```
HEADER:ALGORITHM & TOKEN TYPE

{
  "alg": "HS256",
  "typ": "JWT"
}
PAYLOAD:DATA

{
  "sub": "1234567890",
  "some": "data",
  "iat": 1516239022
}
VERIFY SIGNATURE

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload), 
  HMACSHA256('perUserString'+'globalString')
)

where HMACSHA256 is your local crypto sha256
  nodejs 
    import sha256 from 'crypto-js/sha256';
    sha256(message);
```
for example usage see https://jwt.io (not sure they handle dynamic 256 bit secrets)
0 讨论(0)

查看其它28个回答
发布评论:

提交评论
- 加载中...

Invalidating JSON Web Tokens

Unique per user string, and global string hashed together

Here's an example: