javascript - Email expiration tokens without usage of database and crontab deletion
问题描述
I have API server with Auth (registration, login, forgotten password, etc..) based on JWT token session.
When user forgot password, he gets email with unique token and link where he can reset his password.
At this moment, I am generating UUID token which is saved into database with expiration field.
After user reset his password or token expires, this token is invalidated. Invalidated tokens are deleted every midnight by crontab to keep database clean.
Is there any other way to do this? Maybe without usage of database?
I was thinking about bundling token UUID into JWT string. This way I do not need database row. But then I realized, that this token will be valid until it expires, so user can change his password infinitely. Only fix I see is add this token into revoked list (in database) until it expires, but then I again used database :D
Any ideas?
解决方案
Auth 是一个复杂的领域,我会使用像Auth0这样的现有解决方案来处理这个问题,因为要考虑的流程太多。
也就是说,您可以在重置密码链接中发送 JWT 令牌。它将具有到期日期和用户 ID。签名的 JWT 令牌不能被用户操纵,因此我们可以在它们过期时信任它们。这样,您根本不需要数据库条目来跟踪它。
推荐阅读
- sql-server - 比较sql server中的两个不同列以获得结果
- python - 平方迭代器中的无限循环
- reactjs - 如何在 Storybook 中制作 stories.mdx 文件?
- gnuplot - 如何在我的 gnuplot 图中放大行标题
- c# - 有没有办法获取文件夹中不包括特定文件夹的路径列表
- javascript - 如何使用 jquery 选择输入?
- c++ - C++ 无法将 uint8_t* 复制到 std::array
- apache-kafka - 将消息发布到集群中的一个 Kafka 代理的影响
- firebase - Firestore 会在将文档数据发送到客户端之前对其进行压缩吗?
- javascript - 为什么两个小数相加结果中有这么多零,只是好奇