cchamberlain..

6

如果您使用的是节点(React/Redux/Universal JS),则可以安装npm i -S jwt-autorefresh.

此库根据用户计算的访问令牌到期之前的秒数(基于令牌中编码的exp声明)计划刷新JWT令牌.它有一个广泛的测试套件,可以检查很多条件,以确保任何奇怪的活动都伴随着有关环境配置错误的描述性消息.

完整的示例实现

import autorefresh from 'jwt-autorefresh'

/** Events in your app that are triggered when your user becomes authorized or deauthorized. */

import { onAuthorize, onDeauthorize } from './events'

/** Your refresh token mechanism, returning a promise that resolves to the new access tokenFunction (library does not care about your method of persisting tokens) */

const refresh = () => {

const init = { method: 'POST'

, headers: { 'Content-Type': `application/x-www-form-urlencoded` }

, body: `refresh_token=${localStorage.refresh_token}&grant_type=refresh_token`

}

return fetch('/oauth/token', init)

.then(res => res.json())

.then(({ token_type, access_token, expires_in, refresh_token }) => {

localStorage.access_token = access_token

localStorage.refresh_token = refresh_token

return access_token

})

}

/** You supply a leadSeconds number or function that generates a number of seconds that the refresh should occur prior to the access token expiring */

const leadSeconds = () => {

/** Generate random additional seconds (up to 30 in this case) to append to the lead time to ensure multiple clients dont schedule simultaneous refresh */

const jitter = Math.floor(Math.random() * 30)

/** Schedule autorefresh to occur 60 to 90 seconds prior to token expiration */

return 60 + jitter

}

let start = autorefresh({ refresh, leadSeconds })

let cancel = () => {}

onAuthorize(access_token => {

cancel()

cancel = start(access_token)

})

onDeauthorize(() => cancel())

免责声明:我是维护者

是的,解码是仅客户端解码,不应该知道这个秘密.该秘密用于对JWT令牌服务器端进行签名,以验证您的签名是否最初用于生成JWT,并且永远不应该从客户端使用.JWT的神奇之处在于它的有效负载可以在客户端进行解码,并且内部声明可用于构建您的UI而无需保密.唯一`jwt-autorefresh`解码它是为了提取`exp`声明,以便它可以确定安排下一次刷新的距离. (3认同)