express-jwt

问题 I am using express-jwt to build a restful api. Now the client is making duplicate ajax calls, for the first one the initiator is angularjs and for the second one the initiator is other. The first one gets 204 as the response code and the second one gets 200 as the response code. I tried to debug to get to the source of this duplicate requests, but I am not able to. Below is the header details for the one with 204 status code Below is the header details for the one with 204 status code Can any

问题 With a database session token system I could have a user login with a username/password, the server could generate a token (a uuid for example) and store it in the database and return that token to the client. Every request from thereon would include the token and the server would look up whether the token is valid and what user it belongs to. Using JWT there would be no need to save anything to the database with respect to session/tokens thanks to the combination of the secret key kept on

问题 I want to implement the Sliding expiration concept with json web tokens using angular, nodejs and express-jwt. I'm a little confused on how to do this, and am struggling to find any example of refresh tokens or and other material relating to sessions with these technologies/frameworks. A few options I was thinking of were Generating a new token with each request after the initial login Keeping track of issued token on the server side along But I'm honestly not sure, please help 回答1: I managed

问题 Information on the express-jwt module can be found here: https://github.com/auth0/express-jwt https://www.npmjs.com/package/express-jwt In my main.js server file, I have the following: import ExpressJwt from 'express-jwt'; // import other crap... let token = ExpressJwt({ secret: 'whatever', audience: 'whatever', issuer: 'whatever' }); app.all('/apiv1', token.unless({ path: ['apiv1/user/create', '/apiv1/auth/login']})); app.use('/apiv1/user', user); app.use('/apiv1/auth', auth); Where user and

问题 I'm trying test a few endpoints using Postman. All endpoint, require a token which can be obtain by log-in. So I did this : Request #1 After login success, I have access to the token from the response, then I store that token in my global variable. let token = pm.response.json().location console.log('Token : ', token.split("?token=")[1]); pm.globals.set("token", token) I need to use that token as Authorization type Bearer Token for my request #2. I can copy & paste that in the token box, but

问题 I'm using express-jwt to secure my node application, and am wondering how I can use a wildcard in the unless parameter. My working code is below, what I'd really like to do is open up access to anything that has a path starting with '/login' so I don't have to list every single resource. When I add '/login*' to the unprotected array it ends up blocking /login with a 401/unauthorized. Works: // routes open to all var unprotected = [ '/login', '/login/app/main.js', 'favicon.ico' ]; // configure

问题 I put a JWT authentication system in a node app. I used an interceptor to put the Bearer in every request. It works well if I call a restricted route within Angular or if I curl and specify the token in the header. But if I enter the restricted route directly in my address bar, it doesn't work. There is no Bearer in the header, it doesn't go through the interceptor. Here is my interceptor (client-side): angular.module('myApp).factory('authInterceptor', function ($rootScope, $q, $window) {

问题 There are lots of discussion and favor that token based architecture of authentication of MEAN application is secure. But I have question that is it really pass user-name and password for authorization and authentication as payload in JSON Web Token, and if we are not passing secured information in payload then how JSON Web Token authenticate user without user-name / password in server side. I read lots of architecture stuff but they can't explain that what logic they used to authenticate

问题 We are using the expressJwt library and I want to be able to exclude the GET for the following route api/items/:id but not include any routes that look like api/items/:id/special-action . So far, I've only been able to exclude all routes that have the :id . Below is how we've achieved excluding GET routes that have :id . this.app.use(expressJwt({ secret: secrets.JWT }).unless({ path: [ ... { url: /\/api\/items\/(.)/, methods: ['GET'] }, ... ] }); I've tried { url: /\/api\/items\/(.)\//,

问题 The Auth0 team created something called "angular-jwt" which has a jwtHelper class. This thing successfully decodes a local JWT without the secret I used on the server. How did this happen? If they are not secure, then what is the point of using a secret to sign/encrypt them? Function on the server that encrypts the token (using "jsonwebtoken"): function createToken (user) { return jwt.sign(_.omit(user, 'password'), config.secret, { expiresInMinutes: 60*5 }); } Code from the client: angular