Web Token expiresIn parameter

mikenicholson / passport-jwt

Passport authentication using JSON Web Tokens

MIT License

1.96k stars 213 forks source link

Web Token expiresIn parameter #177

Closed alexxozo closed 4 years ago

alexxozo commented 5 years ago

Hello,

It's my first time using this package and I dont clearly understand how to set the expire date on a token. I read the docs and I though it would be something like this:

passport.use(new JWTStrategy({
    jwtFromRequest: ExtractJWT.fromAuthHeaderAsBearerToken(),
    secretOrKey: 'secret',
    jsonWebTokenOptions: {
        expiresIn: '1s'
    }
}));

But it doesn't seem to work properly.

zakariaelas commented 5 years ago

From the docs:

jsonWebTokenOptions: passport-jwt is verifying the token using jsonwebtoken. Pass here an options object for any other option you can pass the jsonwebtoken verifier. (i.e maxAge)

Note that the options you will specify will get passed on to the jsonwebtoken verify method.

From jsonwebtoken docs:

maxAge: the maximum allowed age for tokens to still be valid. It is expressed in seconds or a string describing a time span zeit/ms.

So what you're actually looking for is the "maxAge" property. The expiresIn property is used in the sign method of the jsonwebtoken package.

alexxozo commented 5 years ago

I have tried it like this:

passport.use(new JWTStrategy({
    jwtFromRequest: ExtractJWT.fromAuthHeaderAsBearerToken(),
    secretOrKey: 'secret',
    jsonWebTokenOptions: {
        maxAge: '1'
    }
}));

But it does not seem to work.

zakariaelas commented 5 years ago

That's odd. If you are signing tokens in your code, you can try the following workaround:

jwt.sign(toSign, secret, { expiresIn: '24h' });

Also, it seems you do not provide a verify function callback. I believe that the verify function is mandatory.