节点js，JWT令牌和逻辑背后 [英] Node js, JWT token and logic behind

问题描述

我正在使用JWT来保护节点js网址 https://github.com/auth0/express-jwt

I'm using the JWT to protect node js urls https://github.com/auth0/express-jwt

要创建JWT令牌用户会话，我只需执行以下操作：

To create a JWT token user session i simply do:

-> auth/signup
    -> jwt.sign(user_profile,secret,expireInMinutes:{900000000 /*almost never expires*/});

或在登录通话时

 -> auth/login
        -> jwt.sign(user_profile,secret,expireInMinutes:{900000000 /*almost never expires*/});

每次调用受保护的网址时，请检查 req.user 由JWT中间件自动设置。

Every time a protected url is called i check for req.user that is set up automatically by the JWT middleware.

现在我想知道：

1 - 在调用sign（）时JWT令牌的存储位置？

1 - where does JWT tokens are stored when calling sign() ?

2 - 每次调用受保护的URL时，是否必须验证（）令牌？如果是，为什么？

2 - do i have to verify() the token every time a protected url is called? if yes why?

3 - 当我为已经签名的用户设置一个新的令牌时，旧的令牌（如果存在）被删除？如果没有设置到期时间，或者是5年，会怎么样？

3 - When i set a new token for an already signed user does the old token (if exists) gets deleted ? What if the expiration is not been set up or is 5 years for example?

4 - 为什么我不能在同一个浏览器/应用页面上设置新的标记？
如果我注册了一个新的令牌，但令牌匹配（我选中），我得到无效的签名错误
这就像我在同一个浏览器上不能登录超过1个用户

4 - Why can't I set new tokens on same browser/app page ? I get invalid signature error if i register a new token but the token matches (i checked) It's like I can't signin more than 1 user on same browser

推荐答案

您必须已经从以前的其他用户的回复中找出了您以前所有问题的答案，但我会尽量为其他人清除某些内容

You must have already figured out the answers to all your previous questions using the previous responses from the other users, but I will try to clear things up a bit for others too:

1 - 在调用sign（）时，JWT令牌存储在哪里？

1 - where does JWT tokens are stored when calling sign() ?

当您打电话时，签名的令牌不存储在任何地方，它是由$函数返回的
，那么您必须将它发送到客户端
，以便可以存储在客户端侧。 （例如会话存储，
本地存储或cookie）

When you call sign, the signed token is not stored anywhere, it is returned by the sign function, then you have to send it to the client so that in can be stored on the client side. (e.g. session storage, local storage or cookie)

2 - 我必须每次验证（）令牌受保护的网址叫？如果是，为什么？

2 - do i have to verify() the token everytime a protected url is called? if yes why?

是的。这个想法是一旦客户端拥有令牌，他们将在发出请求时向服务器发送
令牌。令牌是
由服务器处理以确定特定客户端是否已经
已经被认证。

Yes you do. The idea is once the client has the token, they will send the token to the server each time they make a request. The token is processed by the server to determine whether a particular client has been authenticated already.

3 - 当我为已经签名的用户设置一个新的令牌时，旧的令牌（如果存在）被删除？如果期限没有设定或者是5年，会怎么样？

3 - When i set a new token for an already signed user does the old token (if exists) gets deleted ? What if the expiration is not setted up or is 5 years for example?

与点1的答案有些关联。
将只生成另一个标记。令牌的到期是
存储在已签名的令牌本身内。所以每当服务器从客户端获取一个令牌
时，它会将该过期作为令牌
验证的一部分进行检查。重要的是要注意，签名的令牌只是
user_profile对象，您在
签名期间作为参数传入，加上额外的字段，如到期日期，添加到
对象。

Slightly related to the answer on point 1. Calling the sign function will just generate another token. The expiration of the token is stored within the signed token itself. So each time the server gets a token from the client, it checks the expiration as part of the token verification. Its important to note that the signed token is just the "user_profile" object that you passed in as a parameter during the signing, plus extra fields like the expiration date which are added to that object.

所以客户端可以在客户端存储多个令牌。它们
将一直有效，只要它们尚未到期。但是，
的想法是在客户端已经被
再次验证之后才向客户端发送一个令牌。在旧的过期之后，
的想法就是向客户发送一个令牌。

So a client can have multiple tokens stored on the client side. They will all be valid as long as they have not yet expired. However, the idea is to only send a token to the client when they have been authenticated again after the old one has expired.

4 - 为什么我不能在同一浏览器/应用页面上设置新的标记？我收到无效的签名错误，如果我注册一个新的令牌，但令牌匹配（我检查）这就像我不能在同一浏览器上登录超过1个用户

4 - Why i can't set new tokens on same browser/app page ? I get invalid signature error if i register a new token but the token matches (i checked) It's like i can't signin more than 1 user on same browser

想法是每个浏览器有1个用户。因为在这种情况下，浏览器
是客户端。我不能想到你需要
的用例，每个浏览器/客户端有多个用户，所以你显然做
有问题。这不是说不可能将多个
令牌发送到同一个浏览器/客户端。

The idea is to have 1 user per browser. Since in this case the browser is the client. I cannot think of use cases where you would need to have multiple users per browser/client so you were obviously doing something wrong. That's not to say its impossible to send multiple tokens to the same browser/client.

这篇关于节点js，JWT令牌和逻辑背后的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！