apollo-link-token-refresh icon indicating copy to clipboard operation
apollo-link-token-refresh copied to clipboard

Published 20 hours ago verified publisher icon newsiberian

Check JWT token exp date

Open jgwiazdowski opened this issue 3 years ago • 3 comments

Hi,

I checked some tutorials and went through issues here on repo and what I see is that in isTokenValidOrUndefined() function every one basically do the same check, which is

const { exp } = jwtDecode<JwtPayload>(token);
      if (exp) {
        return Date.now() < exp * 1000;
      } else {
        return false
      }

seems fine, but is it really? I can just change date on my OS and to add 10 hours to it, so when token is expired, I can easily manipulate date on my OS and token works again?

it's not exactly a problem with this repo, but I think that isTokenValidOrUndefined() should be async, then I would be able to get server date/time and check whether token expired on not,

jgwiazdowski avatar Jan 19 '22 14:01 jgwiazdowski

Hi, @jgwiazdowski, nice catch. Could you try to implement this?

newsiberian avatar Jan 20 '22 08:01 newsiberian

Hi @newsiberian I will give it a try, but honestly I cannot promise,

going back to jwt exp date problem, what I described in my post it's seems like a general problem, googled for hours, didn't find a single post saying a word about this,

also imagine that when server creates a token, client clock is let's say 2 hours behind(again, not because of the timezone), without any extra checks, such a token gets immediately invalid from the client perspective

what I end up with is the following, I created myself an extra async ApolloLink which gets server time on each request, then I compare server time with jwt.exp and problem is solved

I do not think that's it's a right solution, I am still looking for a better one, with any luck I will post it here

jgwiazdowski avatar Jan 20 '22 10:01 jgwiazdowski

Hi @newsiberian I will give it a try, but honestly I cannot promise,

going back to jwt exp date problem, what I described in my post it's seems like a general problem, googled for hours, didn't find a single post saying a word about this,

also imagine that when server creates a token, client clock is let's say 2 hours behind(again, not because of the timezone), without any extra checks, such a token gets immediately invalid from the client perspective

what I end up with is the following, I created myself an extra async ApolloLink which gets server time on each request, then I compare server time with jwt.exp and problem is solved

I do not think that's it's a right solution, I am still looking for a better one, with any luck I will post it here

The UI checking the expiration of a JWT is mainly just to handle the refreshing of it from a UX perspective. When using the JWT to make a request to the server it should be up to the server to determine if the JWT is expired. So sure say you manipulate your client to be "back in time" where the JWT isn't technically expired but you still need to send it to the server which would invalidate it.

ottomanelli avatar May 05 '23 20:05 ottomanelli