-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Checking expiration #53
Comments
It seems easiest way is to:
Just leaving this here as it might help anyone. |
Just an alternative: var current_time = Date.now() / 1000;
if ( jwt.exp < current_time) {
/* expired */
} |
Just an important addition: Beware of timezone-Errors. I think you need to use 'Date.now().valueOf() / 1000;' to get the plain UTC time (UTC is the same format as the 'exp' from the JWT-Token). Otherwise the 'Date.now()' will be converted to you local timezone when comparing, which could be a different one than the jwt-issuer. Not using 'valueOf()' will in many timezone-related cases invalidate your token and depending on timezone-difference between client and server (or more exact: between jwt-issuer and jwt-validator) you might not be able to use it ever because the timezone-difference is too big. Edit: I should add as clarification, that this happens because the EXP-Date in the token is not a DATE-Object, it is just a Timestamp-Number which cannot contain any timezone-information. Therefore the EXP in the token will ALWAYS (unless you change it manually) be the neutral timezone (0) UTC and to compare it, you need your time as plain UTC-number too. You may not encounter this problem at first (when you set the token EXP to 24 hours you will not run in the problem of instant invalidation) but you should still be aware of using the time-comparison correctly. |
Also worth mentioning that the if (typeof jwt.exp === 'undefined') return 'Never expires!' There's also |
@davidjb Just because the |
For the lazy: function assertAlive (decoded) {
const now = Date.now().valueOf() / 1000
if (typeof decoded.exp !== 'undefined' && decoded.exp < now) {
throw new Error(`token expired: ${JSON.stringify(decoded)}`)
}
if (typeof decoded.nbf !== 'undefined' && decoded.nbf > now) {
throw new Error(`token not yet valid: ${JSON.stringify(decoded)}`)
}
}
try {
assertAlive(jwtDecode(token))
} catch (error) {
console.error(error)
} |
|
@RomanBednyakov just some additions to your code:
|
@mhombach will you help me understand your comment about
Thank you in advance in helping me understand. I'm trying to track down an issue where one my servers is claiming JWTs are expired while the client seems to think it isn't. Anyone with ideas on what to check for in scenarios like this please do share. Thanks! |
@mfulton26 a different date & time on devices (server and client) could have the scenario you mentioned, since runtime grabs the time (now) from the system it's running on. |
@vniche that doesn't seem to explain the usage of |
Using Date.now().valueOf() is completely unnecessary, Date.now() returns a plain Number object which "knows" nothing about time zones and etc...
so even no conversionis needed |
That was my thinking @rstar2; thank you for confirming. |
Hmm... i have to admit that i do not 100% understand my thoughts from back when i wrote my first comment. |
@mhombach yes I found it weird and confusing to that your comment got so many likes but the solution didn't help me and I wondered if I was missing something. I appreciate you all taking another look. The issue for me ended up being multiple refresh token requests happening in concurrently which is a separate issue. Thanks! |
Thanks for the help @thejohnfreeman I had some trouble figuring out the logic until i realised how much more cleaner your code were than mine! |
try { |
|
See https://stackoverflow.com/questions/33184096/date-new-dated-valueof-vs-date-now for why to use |
Hi everyone, if you need to validate ID Tokens please check out the idtoken-verifier library. |
As far as I could understand, jwt-decode doesn't check if the token expired, does it?
If yes, how can I check if the token expired?
If not, is there any way to do that easily?
Thanks
The text was updated successfully, but these errors were encountered: