Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check JWT token exp date #46

Open
jgwiazdowski opened this issue Jan 19, 2022 · 3 comments
Open

Check JWT token exp date #46

jgwiazdowski opened this issue Jan 19, 2022 · 3 comments

Comments

@jgwiazdowski
Copy link

Hi,

I checked some tutorials and went through issues here on repo and what I see is that in isTokenValidOrUndefined() function every one basically do the same check, which is

const { exp } = jwtDecode<JwtPayload>(token);
      if (exp) {
        return Date.now() < exp * 1000;
      } else {
        return false
      }

seems fine, but is it really?
I can just change date on my OS and to add 10 hours to it,
so when token is expired, I can easily manipulate date on my OS and token works again?

it's not exactly a problem with this repo, but I think that isTokenValidOrUndefined() should be async, then I would be able to get server date/time and check whether token expired on not,
@newsiberian
Copy link
Owner

Hi, @jgwiazdowski, nice catch. Could you try to implement this?

@jgwiazdowski
Copy link
Author

Hi @newsiberian I will give it a try, but honestly I cannot promise,

going back to jwt exp date problem,
what I described in my post it's seems like a general problem, googled for hours, didn't find a single post saying a word about this,

also imagine that when server creates a token, client clock is let's say 2 hours behind(again, not because of the timezone), without any extra checks, such a token gets immediately invalid from the client perspective

what I end up with is the following, I created myself an extra async ApolloLink which gets server time on each request, then I compare server time with jwt.exp and problem is solved

I do not think that's it's a right solution, I am still looking for a better one, with any luck I will post it here

@ottomanelli
Copy link

Hi @newsiberian I will give it a try, but honestly I cannot promise,

going back to jwt exp date problem, what I described in my post it's seems like a general problem, googled for hours, didn't find a single post saying a word about this,

also imagine that when server creates a token, client clock is let's say 2 hours behind(again, not because of the timezone), without any extra checks, such a token gets immediately invalid from the client perspective

what I end up with is the following, I created myself an extra async ApolloLink which gets server time on each request, then I compare server time with jwt.exp and problem is solved

I do not think that's it's a right solution, I am still looking for a better one, with any luck I will post it here

The UI checking the expiration of a JWT is mainly just to handle the refreshing of it from a UX perspective. When using the JWT to make a request to the server it should be up to the server to determine if the JWT is expired. So sure say you manipulate your client to be "back in time" where the JWT isn't technically expired but you still need to send it to the server which would invalidate it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jgwiazdowski @ottomanelli @newsiberian