Week 9
JWT Review
Quiz 7: JWT Authentication 15 mins
There will be a quiz today. It will be worth 2% of your final grade.
Assignment Reminder
Assignment 3 - Authentication - is due before next week's class.
Agenda
- AMA (10 mins)
- Quiz (10 mins)
- A little more JWT (20 mins)
- Review Assingment 3 (5 mins)
- Lab Time
JWT Review
Is the payload data in a JWT securely encrypted?
No. It is a simple hash that can be easily decoded and not suitable for transmitting sensitive information. However, the token is cryptographically signed, so we can be sure that it has not been altered in any way.Can a JWT be revoked?
No. Once issued, a JWT cannot be revoked. It can be set with a short expiry time to limit the risk of a token being compromised.How to set an expiry limit for the token?
Token Expiration (exp claim)
The standard for JWT defines an exp
claim for expiration. The expiration is represented as a standard timestamp, meaning an integer value in seconds since 1970-01-01T00:00:00Z UTC.
Suppose we want to set the token to expire in one hour. It can be set directly with a manual calculation as part of the payload.
jwt.sign(
{
exp: Math.floor(Date.now() / 1000) + 60 * 60,
user: { _id }
},
'secret'
)
Remember
The Date.now()
method returns the current time as a timestamp in milliseconds.
Or, the expiration property can be set with a helper function in the jsonwebtoken
library by setting just the relative future value in the options object.
jwt.sign(
{ user: { _id } }, // payload
'secret', // secret encryption key
{ expiresIn: '1h' } // options object
)
For next week
Before next week's class, please read these additional online resources.
Quiz
There will be a short quiz next class. The questions could come from any of the material referenced above.