我应该在哪里以及如何检查passportjs中访问令牌的有效性 [英] Where and how should I check an access token for validity in passportjs

问题描述

我正在实施刷新令牌并使用passportjs.我不完全理解的是我应该在哪里以及如何检查访问令牌的有效性，以及如果无效令牌到达抛出 TokenExpiredException.

I'm in the process of implementing refresh tokens and I use passportjs. What I don't completely understand is where and how I should check access tokens for validity and in case if an invalid token arrives throw TokenExpiredException.

@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
    constructor(
        private readonly authService: AuthService,
    ) {
        super({
            jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
            ignoreExpiration: false,
            secretOrKey: process.env.JWT_SECRET,
        });
    }

    public async validate(payloadDto: PayloadDto): Promise<PayloadDto> {
        const validUser = await this.authService.validateUser(payloadDto);
        return { id: validUser.id, phone: validUser.phone };
    }
}

validateUser 方法目前看起来像这样:

The validateUser method currently looks like this:

    public async validateUser(payload: PayloadDto): Promise<UserEntity> {
        const retrievedUser: UserEntity = await this.userService.retrieveOne(payload.phone);
        if (retrievedUser) {
            return retrievedUser;
        } else {
            throw new HttpException('Invalid User', HttpStatus.UNAUTHORIZED);
        }
    }

我想知道这样检查是否安全:

I'm wondering if it's secure to check it like this:

@Injectable()
export class RefreshAuthGuard extends AuthGuard('jwt') {
    public handleRequest(err: any, user: any, info: Error): any {
        if (info) {
            if (info.name === 'TokenExpiredError') {
                throw new HttpException('TokenExpired', HttpStatus.UNAUTHORIZED);
            } else {
                throw new HttpException('Unauthorized', HttpStatus.UNAUTHORIZED);
            }
        }
    }
}

推荐答案

我建议按如下方式更改您的身份验证流程(另请参阅 thread 和 线程):

I would suggest changing your auth flow as follows (also see thread and thread):

1. 客户端尝试使用过期的身份验证令牌调用受保护的路由 /secret
2. 服务器向客户端抛出一个TokenExpiredError
3. 客户端现在使用其有效的刷新令牌在身份验证服务器上请求一个新的访问令牌
4. 身份验证服务器检查刷新令牌并向客户端发出新的访问令牌
5. 客户端使用新的访问令牌重试 /secret

刷新令牌的全部目的是它永远不会与资源服务器共享，并且不会随每个请求一起发送；这增加了安全性.如果资源服务器自己发出刷新请求，您就无法达到这个目的.如果资源服务器和身份验证服务器相同，您仍然可以从不发送长期(➡ 风险更高)的令牌中受益，即通过中间人破坏它们的机会更少攻击.

The whole purpose of a refresh token is that it never gets shared with the resource server and is not send around with every request; this increases security. If the resource server makes the refresh request itself, you defeat this purpose. If the resource server and the auth server are the same, you still benefit from not sending the long-lived (➡ higher risk) tokens around so much, i.e., less chance for them to be compromised through a person-in-the-middle attack.

这篇关于我应该在哪里以及如何检查passportjs中访问令牌的有效性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！