How to deal with a TokenExpiredError: jwt expired?-CodePudding

I have a project with NodeJS with jwt for managing user authentication. After a period of time, my app stops working and my server prints the following:

return done(new TokenExpiredError('jwt expired', new Date(payload.exp * 1000)));
                    ^
TokenExpiredError: jwt expired

Now, the person who was working in this project before me had this code for managing the tokens:

static generateToken(username, type, id) {
 return jwt.sign(
   {
      username,
      type,
      id
   },
   API_SECRET,
   {
       expiresIn: '7d'
   }
 );
}

static generateRefreshToken(username, type, id) {
 return jwt.sign(
   {
     username,
     type,
     id
   },
   API_SECRET_REFRESH,
   {
     expiresIn: '30d'
   }
 );
}

My guess is that the issue is the expiresIn: '7d' (since I'm quite new with jwt). I also know what we can omit the expiresIn field to make the token not expire at all. My question is: Is it safe to omit said field or there's another way to tackle this kind of error message? Since every time that message pops up, I have th delete the entire browsing history of my browser (or run my project in incognito mode) in order for it to start working again.

CodePudding user response：

Yes, this is one of the most common problems, it is possible to solve it with a refresh token, what this function does is that when the token expires, a request is made from the front to obtain a new one, here is a link with an example of implementation in node js:

Link: https://www.bezkoder.com/jwt-refresh-token-node-js/

CodePudding user response：

You should not create a token that does not expire. So, you should keep the expiresIn config.

That being said, you don't have to use refresh token strategy. There are a lot of ways to handle this. For example, you can do the following:

Create /check-token endpoint that will check if the current token is still valid.
Create token when user logs in. Token will be valid for 7 days for example.
Each time user opens your application call the /check-token endpoint. If current token is not valid, logout the user. If current token is valid, generate new token that will be valid for another 7 days and continue to authenticate the user with new token.