Train of thought

  1. When the user enters and refreshes the page, the current token is blacklisted (maintained in Redis, where the token creation timestamp is the key and the expiration time is the value) and a new token returns front end is created
  2. Check whether the token in the blacklist has expired:node-schedule; Check whether the token in the Redis blacklist has expired at short intervals (one day). If it has expired, remove it from the blacklist
  3. When verifying the token, add another judgment to the blacklist: Obtain the current token information (in subreq. user) to obtain the creation time stamp and determine whether the token is in the blacklist. If so, call express-jWTisRevokedRelated processing of
router.post('/init/'.function(req, res, next) {console.log(req.user)// print:}Copy the code

Print: iAT indicates the creation time of token and exp indicates the expiration time or expiration time

Redis add, delete, change, check, blacklist traversal and delete

  • usehget/hsetRead and write data

The difference between SET and Hset in Redis is that set/get stores single data, which is equivalent to stuffing a student into the school. When searching, all of them are gathered together and named. Hset/hGET stores a data object, which is equivalent to finding the class before finding the student when the school inserts students.

  • Hkeys retrieves all keys contained in the hash, and hVALS retrieves all values contained in the hash, which can be used for a traversal lookup

  • Del, delete

// Check whether token timeout redisclient.hvals ("token".function(err, tokenValue) {//tokenValue is an array of values tokenValue.foreach (function(value, i) {
				if(date>value){// Time out, delete console.log('Timeout, delete')
					redisClient.del('token', value, function(err, resData) {
						if(err){
							console.log('delErr:',err)
						}
						console.log('Deleted successfully! ')})}else{
					console.log('Not timed out')}}); })Copy the code

Put the above code into node-schedule and make it run at regular intervals

IsRevoked configuration item of express-jwt, the token isRevoked

IsRevoked configuration item accepts a function, if done(null, true) is returned indicating that the token isRevoked, error 403 is reported; If done(null, false) is returned, the token is normal

let isRevokedCallback = function(req, payload, done) {// Payload Current token information ---- for example; { username:'test', iAT: 1591179448, exp: 1591784248}'token', payload.time, function(err, tokenNumber) {
		if(err){
			console.log('hashErr:',err)
		}
		if(tokenNumber == 1){
			console.log('In the black list')
			return done(null, true// The second argument istrueDoes not pass}else{
			console.log('Not on the blacklist')
			return done(null, false) // Through}})} const jwtAuth = JWT ({secret: PRIVATE_KEY, credentialsRequired:false, isRevoked: isRevokedCallback// Incoming configuration item}). Unless ({path: [], // set JWT authentication whitelist});Copy the code

The token feature is missing

It should be noted that one of the features of token is stateless, that is, it does not waste storage space and frequent read and write operations. When we write token renewal, this feature of token is violated. However, other features of token, such as avoiding CSRF attacks, still have their own advantages. So make trade-offs according to different needs

Welcome to point out any mistakes mentioned above.

Personal website: lppwork.cn. Can synchronize memos and add task calendar function website, continuous development…

The resources

Morgan source. www.jianshu.com/p/2bd71c168… www.cnblogs.com/zkqiang/p/1… My.oschina.net/u/3797834/b… Blog.csdn.net/qq_36850813…