令牌已过期,无法再刷新。

huangapple go评论119阅读模式
英文:

Token has expired and can no longer be refreshed

问题

  1. 如何在刷新令牌过期时更新它?中间件中的代码刷新了访问令牌,但刷新令牌是问题所在。

  2. 是否有办法在更新访问令牌时同时更新刷新令牌?

英文:

I'm using the package PHPOpenSourceSaver (Tymon package fork) and the access token is working perfect. When the time expires I update the access token and the user can continue access but when the refresh token expires I got the error:|

Token has expired and can no longer be refreshed

But I updated the refresh token (I think) in the middleware but it's not working, only update the access token when expires:

class JWTAuthenticate extends Authenticate
{
    public function handle($request, Closure $next)
    {
        $jwt = $request->cookie(JWTValues::ACCESS_TOKEN);
        $bearerToken = null;
     
        if (!is_null($jwt)) {
            $request->headers->set('Authorization', $jwt);
        }

        try {
            JWTAuth::parseToken()->authenticate();
        } catch (TokenExpiredException $e) {

            $refreshedToken =  auth()->refresh(JWTAuth::getToken());
            JWTAuth::setToken($refreshedToken)->toUser();

            $bearerToken = "Bearer {$refreshedToken}";
            $request->headers->set('Authorization', $bearerToken);
        }
     
        $this->authenticate($request);
       
        if (!is_null($bearerToken)) {
            $cookie = cookie()->forever(JWTValues::ACCESS_TOKEN, $bearerToken);
            return  $next($request)->withCookie($cookie);
        }

        return $next($request);
    }
}

I would like to know to thinks:

  1. How to update the refresh token when this expires? the code in the middleware refresh the access token but with refresh token is the problem
  2. is there a way to update the refresh token when the access token is updated?

答案1

得分: 1

JWT包有许多安全检查。

其中一项检查严格禁止刷新已过期的令牌(除非在过期后的某个时间段内)。

解决方案

  • 在每个请求之前刷新令牌,以确保在过期之前刷新。

  • 或者,如提到的在评论中,使用JavaScript在允许刷新的时间段内刷新令牌。

  • 或者,使用用户名和密码刷新令牌。

  • 或者,修改包并移除/禁用所说的“一个”安全检查。

> 注意,我只建议前两种方法,因为它们最安全。
>
> 剩下的两种方法允许攻击者重用被盗令牌,即使它已过期。
>
> 但另一方面,这样的中间人攻击者也会窃取用户的用户名和密码,因此需要使用用户的电话号码进行双因素身份验证。

英文:

The JWT package(s) have many security checks.

One of said checks, strictly forbids expired tokens to be refreshed (except maybe in a certain time-period after expired).

Solutions

  • Either refresh the token before it's expired, on each request.

  • Or, as mentioned in comments, use JavaScript to refresh the token in the time-period that allows refreshing.

  • Or, refresh the token with username and password.

  • Or, hack the package, and remove/disable said "one" security check.

>Note that I only recommend first two of above, which is most secure.
>
>The remaining two allow a stolen token to be re-used by attackers, even if it's expired.
>
>But on the other hand, such a middle-man-attacker would steal user's name and password, too, and two-factor authentication with user's phone-number is required.

huangapple
  • 本文由 发表于 2023年6月26日 20:30:54
  • 转载请务必保留本文链接:https://go.coder-hub.com/76556704.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定