Extend token expiration

[roytz]

Hi,
I've set the token exp value to be 7d.
Now, I want to extend the expiration every time the token is being validated and expires in less than 7 days - I want to do that on the validateFunc.
Here is my validateFunc with the TODO part where I want to change the exp value or return a new token with new exp value -

const validate = async (decoded, request, callback) => {
    try {
      // doing stuff to check that the user is valid 


      const tokenExpirationDate = moment(decoded.exp * 1000);
      if (tokenExpirationDate.diff(moment(), 'days') < 7) {
        //TODO: extend token expiration
      }
      return callback(null, true);
    } catch (error) {
      throw error;
    }
  };

How can I do that?

[doron2402]

you'll have to generate a new token and pass it to the user.
JWT token are immutable

Another way will be using a key/value store such as Redis and store the token without expiration date, It will also help you to restrict access without changing the secret key if needed to.

[roytz]

Thank you @doron2402 , can I generate a new token and pass it back to the client from the validate function (since this is the place where I find out if a token expired)?

Regarding the Redis solution, what do you mean by it will help me restrict access without changing the secret key?

[doron2402]

np @roytz,

for your first question, you can return the new token inside the header and make sure to use it on the client. if you have some sort of a middle layer between your api you can force the Authorization header to be equal to the new value.

For your second question regarding Redis, JWT token have a life time lets say a week. and lets say that some how your token got leaked or someone hack your user computer and now holds the JWT token. there's no way for you to restrict this token even if you delete the user from your database and change the user password.
Therefore you can use redis and validate the token against it.

[roytz]

thanks @doron2402

[shai32]

In the validate function, I don't have a way to return a new token. (there is no reply method)
so how can I send a new token to the client?

[doron2402]

you can overwrite the validate function to return a callback/promise with the token.
your handler should handle the response (reply object). It's a bad practice to have your validate function have access to the request & reply objects

[shai32]

validateFunc is very limited

1. you can't create a new token and pass it as an header to the client, you can only call callback with errr, valid and credentials:
   callback - (required) a callback function with the signature function(err, isValid, credentials) where:
   err - an internal error.
   valid - true if the JWT was valid, otherwise false.
   credentials - (optional) alternative credentials to be set instead of decoded.

2. so if I want to return a new token to the client, I need to do it on each route handler (the logic of creating new token and putting it in the header). all my api calls should have this logic to return the new token when expired. so adding this logic to every handler is a bad practice and a lot of code duplication.
   how do you guys, solve it?

[bitcloud]

did my answer in #237 solve this issue for you @shai32 ?

[shai32]

@bitcloud yes

[bitcloud]

great! what about you @roytz? otherwise you can close this issue. :-)

[roytz]

Thanks @bitcloud