没有使用jwt的刷新…

我想到了两种袭击的场景。一个是关于登录凭证的泄露。另一个是对JWT的盗窃。

For compromised login credentials, when a new login happens, normally send the user an email notification. So, if the customer doesn't consent to being the one who logged in, they should be advised to do a reset of credentials, which should save to database/cache the date-time the password was last set (and set this too when user sets password during initial registration). Whenever a user action is being authorized, the date-time a user changed their password should be fetched from database/cache and compared to the date-time a given JWT was generated, and forbid the action for JWTs that were generated before the said date-time of credentials reset, hence essentially rendering such JWTs useless. That means save the date-time of generation of a JWT as a claim in the JWT itself. In ASP.NET Core, a policy/requirement can be used to do do this comparison, and on failure, the client is forbidden. This consequently logs out the user on the backend, globally, whenever a reset of credentials is done.

For actual theft of JWT... A theft of JWT is not easy to detect but a JWT that expires easily solves this. But what can be done to stop the attacker before the JWT expires? It is with an actual global logout. It is similar to what was described above for credentials reset. For this, normally save on database/cache the date-time a user initiated a global logout, and on authorizing a user action, get it and compare it to the date-time of generation of a given JWT too, and forbid the action for JWTs that were generated before the said date-time of global logout, hence essentially rendering such JWTs useless. This can be done using a policy/requirement in ASP.NET Core, as previously described.

现在，你如何发现JWT被盗?目前我对此的回答是，偶尔提醒用户全局注销并重新登录，因为这肯定会让攻击者注销。

在经过一些研究后，我的观点如下。 在登出期间，确保发生了以下事情…

清除客户端存储/会话

分别在登录或注销发生时更新用户表的上一次登录日期-时间和注销日期-时间。因此登录日期时间应该总是大于注销(或者如果当前状态是登录且尚未注销，则将注销日期保持为空)

这远比保持额外的黑名单表和定期清洗简单。多设备支持需要额外的表来保存loggedIn、注销日期和一些额外的详细信息，如操作系统或客户端详细信息。

简单地创建添加以下对象到你的用户模式:

const userSchema = new mongoose.Schema({
{
... your schema code,
destroyAnyJWTbefore: Date
}

当你在/login上收到POST请求时，将这个文档的日期更改为date .now()

最后，在您的身份验证检查代码中，即在您的中间件中检查isauthenticated或protected或任何您使用的名称，只需添加一个检查myjwt的验证。iat大于userDoc.destroyAnyJWTbefore。

如果您想在服务器端销毁JWT，那么在安全性方面，这个解决方案是最好的。 这个解决方案不再依赖于客户端，它打破了使用jwt的主要目标，即停止在服务器端存储令牌。 这取决于您的项目上下文，但最可能的是您想要从服务器上销毁JWT。

如果您只想从客户端销毁令牌，只需从浏览器中删除cookie(如果您的客户端是浏览器)，在智能手机或任何其他客户端上也可以这样做。

如果选择从服务器端销毁令牌，我建议您使用Radis通过实现其他用户提到的黑名单样式来快速执行此操作。

现在的主要问题是:jwt无用吗?上帝知道。

代币的有效期为1天 每天建立一个黑名单。 将无效/注销令牌放入黑名单

对于令牌验证，首先检查令牌的过期时间，如果令牌没有过期，则检查黑名单。

对于长会话需求，应该有一种机制来延长令牌过期时间。

以下方法可以提供两全其美的解决方案:

让“立即”表示“~1分钟”。

例:

User attempts a successful login: A. Add an "issue time" field to the token, and keep the expiry time as needed. B. Store the hash of user's password's hash or create a new field say tokenhash in the user's table. Store the tokenhash in the generated token. User accesses a url: A. If the "issue time" is in the "immediate" range, process the token normally. Don't change the "issue time". Depending upon the duration of "immediate" this is the duration one is vulnerable in. But a short duration like a minute or two shouldn't be too risky. (This is a balance between performance and security). Three is no need to hit the db here. B. If the token is not in the "immediate" range, check the tokenhash against the db. If its okay, update the "issue time" field. If not okay then don't process the request (Security is finally enforced). User changes the tokenhash to secure the account. In the "immediate" future the account is secured.

我们将数据库查询保存在“immediate”范围内。 如果在“即时”持续时间内有来自客户端的大量请求，那么这是最有益的。

如果不对每个令牌验证进行DB查找，这似乎很难解决。我能想到的替代方案是在服务器端保留无效令牌的黑名单;当发生更改时，应该在数据库上进行更新，通过使服务器在重新启动时检查数据库以加载当前黑名单来持久化更改。

但是如果你把它放在服务器内存中(一个全局变量)，那么如果你使用多个服务器，它就不能跨多个服务器伸缩，所以在这种情况下，你可以把它保存在一个共享的Redis缓存中，应该设置在某个地方持久化数据(数据库?文件系统?)，以防它必须重新启动，每次新服务器启动时，它都必须订阅Redis缓存。

作为黑名单的替代方案，使用相同的解决方案，你可以像这个其他答案指出的那样，在每个会话中保存一个散列(虽然不确定在许多用户登录时是否更有效)。

听起来是不是很复杂?对我来说是这样的!

免责声明:我没有使用过Redis。