-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for activeDuration (or an example in the doc how to do that #237
Comments
@shai32 thanks for opening this issue to discuss |
@nelsonic validateFunc is very limited
help with how to code it, will be very appreciated. |
I want to be able to send a new token to the user not only for expiration, also for renewing invalidate data. the decoded token itself contains a data for the user (like user role, user id) |
@shai32 if |
@nelsonic verifyFunc has the same limitation |
I don't think that is part of the auth. Same as creating the token you use in the first place. We solved this issue with a separate session management plugin that checks in a hook for every call if the token is still valid or should be extended. If it should be extended, it attaches the new token to the header/cookie and passes on to the rest. so you keep everything nicely separated ;-) |
just checked. We implemented it on the onPreResponse hook. |
@bitcloud sound interesting, so validateFunc isn't needed at all, can I use onPreResponse to test the token/session ? |
As it still has pass auth-jwt2 with a valid token, which takes care of the decoding, you have access to the request.auth object like in any other route handler. We pick the credentials from request.auth, use a refreshTime value to check if a token is due for replacement, if it is due for replacement we extend the timeout in the credentials and issue a new token. e.g. Lifetime is 7 days. Refresh is 1 day. So if the token has a lifetime of less then a day, a new one is issued. |
@bitcloud thats exactly what I need, Thanks. I want to use a Lifetime of 7 days. and Refresh as 6 days. in this way I am ensuring that the user has 6-7 days to use it form last visit my site. what do you think about this numbers, are there ok? also I want to write unit test for this, can I mock the server clock to test it? |
yeah, numbers are fine! the only thing you want to avoid is creating a token every request. Unit tests should be easy. You just need to mock request and reply and expose the handler in the module. You should even be able to integration tests with the server.inject method pretty straight forward. |
@bitcloud Thanks for your help, it works now, this is my code if anyone else need to implement activeDuration and creating a new token if credentials need to be updated.
|
Concerning the first part: This means that you recreate a Token when you invalidate the session? I would have guessed that this would just delete the session :-) And in the second part: the renew only happens once as you delete the flag in the credentials. What should happen the second time? The user won't see the difference, or will this be checked later on in the app again? and I think a nicer way to set headers and cookies would be
Probably I don't understand the whole idea of activeDuration. I just call it JWT refresh. Because it just refreshes your token when it is approaching end of life. And there is no difference to the original token besides the expiry. But you are certainly on the right track :-) |
@bitcloud I have different propose of using invalidate. this way I am ensuring that client always as the updated session. regarding the second part, the renew should only happen once and its ok, the client gets a new token with a new session. this token after one day will also be replaced again. activeDuration as indeed JWT refresh, but I implemented it also to refresh the session data inside the token (only when needed), not only the expiration. I need the user data (such as role, displayName and more) to always be up to date with the client. |
here is my updated code that does it
|
activeDuration allows users to lengthen their session by interacting with the site. If the session is 28 minutes old and the user sends another request, activeDuration will extend the session’s life for however long you define. In this case, 15 minutes.
In short, activeDuration prevents the app from logging a user out while they’re still using the site.
example why its important:
let say the user get a token with a long expiration date ( lets say 7 days)
when he log in, he clicked on remember me.
now, the user uses the site every day, after 7 days, it still has his original token (that is stored in is browser)
he open the website, no login need (token has still 1 minute left), and then suddenly after 1 min of use, the website throw him out.
the user does not understand what happened and why.
so we need a way to define some sort of activeDuration:
it sound like a must have for any site that want a good user experience.
am I wrong? what most site do?
The text was updated successfully, but these errors were encountered: