How to check token expiry?

[KrishnaPG]

Any method to check if the token is still valid or expired? So that we can open the login dialog again (if the stored token is expired)

[bcomnes]

Use ‘user.jwt().then()’ to auto refresh the token.

[KrishnaPG]

Thanks @bcomnes . What does user.jwt() do? Would it just renew the token silently or would it show the login dialog if token is expired?

[bcomnes]

Sorry for the brevity, was mobile when I responded. It will automatically refresh the JWT token with the existing login if it has expired. The user objects in the widget are generated by https://github.com/netlify/gotrue-js internally and share the same API.

[KrishnaPG]

Thank you @bcomnes

I am trying to 'protect' certain pages with login using client side router (vue-router). As of now, roughly doing something like below

Router.beforeEach((to, from, next) => {
	const user = netlifyIdentity.currentUser();
	const validUser = (user != null); // check if user token exists
	if (validUser) goto dashboard();
        else goto loginPage();
}

On each route transition, check if valid userToken exists or not (using the netlifyIdentity.currentUser()). If user token does not exists, then force to login page.

This works perfectly for loggedIn or loggedOut scenarios, where the netlifyIdentity.currentUser() clearly returns NULL or non-null object.

But this does not take care of stale tokens. The netlifyIdentity.currentUser() could be a stale token (from previous login long time back), and in such cases I want to force to login page.

If user.jwt() refreshes the token in the backend server every time it is called, then I do not get a chance to force the login again (on the front end) - correct?

What I am looking for is more of: on the client side itself determine if token is expired or not. Something like netlifyIdentity.validateToken().

No renewal. Just a boolean true/false return value. So that user will be force "logged out" / forced to login for stale tokens.

Also, is there a way to configure the token timeout / expiry?

[futuregerald]

The JWT has an expiration encoded in it. The expiration is also in the User.token object.

[bcomnes]

Yeah thats correct, sorry for the delayed response on my end, I lost track of a bunch of github notifications over the holidays.

[KrishnaPG]

Thank you. I see the token object has below fields:

access_token:
expires_at: 1515311953000
expires_in: 3600
refresh_token: "PUh9Awap0Vgi2eYoVvpXoQ"
token_type: "bearer"

It has expires_at and expires_in fields. What is the resolution? How to use them for expiry check?

For example, this expires_at ? Is it system time or server time? How to use it to validate?

The other field, expires_in would be sightly difficult to use, since it seems to be relative and without knowing the start time or the token generation time it would be useless.

Any example code or docs would be greatly helpful. Thank you again for your insights and help.

Or any link to the code on how the server validating the token would also be helpful. I can try copy that code and make relevant changes to make it work on client side.

[KrishnaPG]

I am trying to use

			isUserTokenValid: function(user) {
				const token = user.token;
				if(!token) return false;
				return token["expires_at"] > Date.now();
			}

Would this be correct? The expires_at can it be compared to Date.now() on the client side? What if the server and client are in different time zones? Would it work irrespective of it?

[bcomnes]

This is how it works internally: https://github.com/netlify/gotrue-js/blob/master/src/user.js#L62-L68