Questions about Authentication Token (JWT)

Asked

Viewed 721 times

2

For a while I used the Json Web Token (JWT) to do the entire authentication process of most systems on which I work on Node.js.

But today, developing one of my personal projects, I took a look at the token verification process, I came across this expiresIn and I was left with some doubts:

  • If I want to leave the maximum expiration time, there are risks to system security?
  • There is a certain "default" time for expiration of tokens?

Example of sign jwt

const token = jwt.sign({ id: user.result[0].id }, authConfig.secret, {
  expiresIn: 86400,
});

Well, I’ve been researching inside the library documentation and nothing answered exactly what I’d like to know.

  • If you are only putting the user ID on JWT, why not simply use a session on back-end?

  • 1

    Because it is an API, the authentication token is required. Not counting the security factors.

1 answer

1


  • "If I want to leave the maximum expiration time, there are risks to the system security?"

There is a risk that someone will be able to "steal" your JWT token. Since the token does not expire, it can be used forever to authenticate that user.

The same attack may happen with a token that has an expiration time, but the impact ends up being smaller because the "stolen" token will be useless after a while.

It is not a simple attack to be made and the same can be mitigated in other ways, not only by defining a expiresIn, as using HTTPS to hinder attacks "man-in-the-Middle".

  • "There is a certain "default" time for expiration of tokens?"

Not. If the parameter is not defined, JWT has "infinite duration".

There is no rule to define time and it depends on case by case. It is common to think of the user’s use case and set the time based on this, for example:

The user is a company employee who usually works 8 hours a day. In that case, a reasonable pro expiresIn is 8 o'clock.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.