Monday, 24 April 2017

Destroying JSON Web Tokens

This is something,that really confuses. me. Let us suppose you have a REST API where you want the user to logout. After login out,the jwt(json web token) should be destroyed,so the user can not have access to the server's resources(ie menu,dishes etc).

In my case the user can logout,but he/she can still perform all the requests(get dishes,post and delete). Here is my code.

verify.js

        var User = require('../models/user');
        var jwt = require('jsonwebtoken'); // used to create, sign, and verify tokens
        var config = require('../config.js');

        exports.getToken = function (user) {
            return jwt.sign(user, config.secretKey, {
                expiresIn: 3600
            });
        };

        exports.verifyOrdinaryUser = function (req, res, next) {
            // check header or url parameters or post parameters for token
            var token = req.body.token || req.query.token || req.headers['x-access-token'];

            // decode token
            if (token) {
                // verifies secret and checks exp
                jwt.verify(token, config.secretKey, function (err, decoded) {
                    if (err) {
                        var err = new Error('You are not authenticated!');
                        err.status = 401;
                        return next(err);
                    } else {
                        // if everything is good, save to request for use in other routes
                        req.decoded = decoded;
                        next();
                    }
                });
            } else {
                // if there is no token
                // return an error
                var err = new Error('No token provided!');
                err.status = 403;
                return next(err);
            }
        };

I am invalidating the token after a period of 1 min.

And users.js where I set all the routes with their tasks. ie localhost:3000/users/login,localhost:3000/users/register and localhost:3000/users/logout. So.

    var express = require('express');
    var router = express.Router();
    var passport = require('passport');
    var User = require('../models/user');
    var Verify    = require('./verify');
    /* GET users listing. */
    router.get('/', function(req, res, next) {
      res.send('respond with a resource');
    });

    router.post('/register', function(req, res) {
        User.register(new User({ username : req.body.username }),
          req.body.password, function(err, user) {
            if (err) {
                return res.status(500).json({err: err});
            }
            passport.authenticate('local')(req, res, function () {
                return res.status(200).json({status: 'Registration Successful!'});
            });
        });
    });

    router.post('/login', function(req, res, next) {
      passport.authenticate('local', function(err, user, info) {
        if (err) {
          return next(err);
        }
        if (!user) {
          return res.status(401).json({
            err: info
          });
        }
        req.logIn(user, function(err) {
          if (err) {
            return res.status(500).json({
              err: 'Could not log in user'
            });
          }

          var token = Verify.getToken(user);
                  res.status(200).json({
            status: 'Login successful!',
            success: true,
            token: token
          });
        });
      })(req,res,next);
    });

    router.get('/logout', function (req, res) {
        req.logout();
        res.status(200).json({
            status: 'Bye!'
        });
    });

    module.exports = router;

It seems that the logout method req.logout,doesn't work:(. Any ideas?

Thanks,

Theo.



via Theo
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)