Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Example of refreshing tokens with jwt
/**
* Example to refresh tokens using https://github.com/auth0/node-jsonwebtoken
* It was requested to be introduced at as part of the jsonwebtoken library,
* since we feel it does not add too much value but it will add code to mantain
* we won't include it.
*
* I create this gist just to help those who want to auto-refresh JWTs.
*/
const jwt = require('jsonwebtoken');
function TokenGenerator (secretOrPrivateKey, secretOrPublicKey, options) {
this.secretOrPrivateKey = secretOrPrivateKey;
this.secretOrPublicKey = secretOrPublicKey;
this.options = options; //algorithm + keyid + noTimestamp + expiresIn + notBefore
}
TokenGenerator.prototype.sign = function(payload, signOptions) {
const jwtSignOptions = Object.assign({}, signOptions, this.options);
return jwt.sign(payload, this.secretOrPrivateKey, jwtSignOptions);
}
// refreshOptions.verify = options you would use with verify function
// refreshOptions.jwtid = contains the id for the new token
TokenGenerator.prototype.refresh = function(token, refreshOptions) {
const payload = jwt.verify(token, this.secretOrPublicKey, refreshOptions.verify);
delete payload.iat;
delete payload.exp;
delete payload.nbf;
delete payload.jti; //We are generating a new token, if you are using jwtid during signing, pass it in refreshOptions
const jwtSignOptions = Object.assign({ }, this.options, { jwtid: refreshOptions.jwtid });
// The first signing converted all needed options into claims, they are already in the payload
return jwt.sign(payload, this.secretOrPrivateKey, jwtSignOptions);
}
module.exports = TokenGenerator;
/**
* Just few lines to test the behavior.
*/
const TokenGenerator = require('./token-generator');
const jwt = require('jsonwebtoken');
const tokenGenerator = new TokenGenerator('a', 'a', { algorithm: 'HS256', keyid: '1', noTimestamp: false, expiresIn: '2m', notBefore: '2s' })
token = tokenGenerator.sign({ myclaim: 'something' }, { audience: 'myaud', issuer: 'myissuer', jwtid: '1', subject: 'user' })
setTimeout(function () {
token2 = tokenGenerator.refresh(token, { verify: { audience: 'myaud', issuer: 'myissuer' }, jwtid: '2' })
console.log(jwt.decode(token, { complete: true }))
console.log(jwt.decode(token2, { complete: true }))
}, 3000)
@saifkamaal

This comment has been minimized.

Copy link

@saifkamaal saifkamaal commented Sep 6, 2017

use the jsonwebtoken module instead of jwt - if you get the error.

@ziluvatar

This comment has been minimized.

Copy link
Owner Author

@ziluvatar ziluvatar commented Jun 7, 2018

Done, thanks!

@bessaadi

This comment has been minimized.

Copy link

@bessaadi bessaadi commented Aug 27, 2018

Thanks!

@pdhung197

This comment has been minimized.

Copy link

@pdhung197 pdhung197 commented May 26, 2020

Thank you so much. Can I ask a question:
What's difference between secretOrPrivateKey and secretOrPublicKey? I read jwt document on https://www.npmjs.com/package/jsonwebtoken and see secretOrPrivateKey use for sign, secretOrPublicKey use for verify but what is difference of those?

@dac09

This comment has been minimized.

Copy link

@dac09 dac09 commented May 27, 2020

My understanding as a non security expert:

Public keys -> Can be used to verify
Private keys (or secret key) -> Can be used to both verify and sign

What this means is that if you sign a JWT with a private key on your auth server, you'll be able to verify with the public key on any other server. Public keys aren't secrets - and can be distributed "freely", and only your auth server should have access to the private key. Remember you should probably check other values such as expiry, audience, etc. as well

@TriStarGod

This comment has been minimized.

Copy link

@TriStarGod TriStarGod commented Jun 30, 2020

The previous comment is partially wrong

RSA keys - public / private

User A creates private and public key pair; User A shares public key with world including User B; User A's private key is kept private and secure;

If User A signs some data with User A's private key, the data can only be decrypted by User A's public key; If User B successfully decrypted the encrypted data using User A's public key, the receiver knows it was sent by the User A. However, this does not imply that User B was the intend recipient of the encrypted data;

If User B signs some data with User A's public key, the data can only be decrypted by User A's private key; If User A successfully decrypted the data, User A knows the data was meant for User A; However, using only the encrypted data as reference, User A cannot verify who sent the data;

@dac09

This comment has been minimized.

Copy link

@dac09 dac09 commented Jul 1, 2020

+1

I should’ve used the words “usually used to” instead of “can be”

@pdhung197

This comment has been minimized.

Copy link

@pdhung197 pdhung197 commented Jul 1, 2020

Thank you for clearly explain.

@5eraph

This comment has been minimized.

Copy link

@5eraph 5eraph commented Oct 10, 2020

If User A signs some data with User A's private key, the data can only be decrypted by User A's public key; If User B successfully decrypted the encrypted data using User A's public key, the receiver knows it was sent by the User A. However, this does not imply that User B was the intend recipient of the encrypted data;

Hi @TriStarGod, what you wrote is not correct. Signing does not affect de/encryption process. It is proof of author. And nothing ever decrypts by public key. There would be no reason. But yea you use public key to verify signature to make sure data wasnt tampered and sender is owner of private/public key pair. So to send data to User B - user A needs User B's public key.

If User B signs some data with User A's public key, the data can only be decrypted by User A's private key;

Same.other way around. User B does not sign with public key but encrypts data intended for User A. It is implied by second part of your statement bit sign and encryption should not be mixed.

@TriStarGod

This comment has been minimized.

Copy link

@TriStarGod TriStarGod commented Oct 11, 2020

@5eraph I believe it does both. The only thing I was unsure of was if the private key signed a message, whether that was considered encrypted or not. At first I believed it was due to https://security.stackexchange.com/questions/9957/can-i-use-a-private-key-as-a-public-key-and-vice-versa but I've to come to the conclusion its not. Proper implementation with both signing and encryption involves both parties sharing their public key to sign / encrypt messages to each other.

@5eraph

This comment has been minimized.

Copy link

@5eraph 5eraph commented Oct 12, 2020

@TriStarGod Interesting. I never thought about the internals of RSA and was thinking about crypto in general. I do not know whether this would be possible with other algorithms as well. But anyway your initial message may confuse someone to use public/private incorrectly, so it may be worth to update that answer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.