What to do with JWT | NestJS | Page 1

#What to do with JWT

1 messages · Page 1 of 1 (latest)

grave moth Nov 5, 2022, 5:57 PM

I have created the /auth endpoints and gotten them working. But in the documentation: https://docs.nestjs.com/security/authentication

It simply tells you to reply to the HTTP request with the auth_token. Here's what I don't understand - shouldn't we be sending back a cookie? Or something? Also doesn't the auth_token expire quickly? How do you refresh it? I bought the authentication course but have no idea when it's going to actually come out.

Documentation | NestJS - A progressive Node.js framework

Nest is a framework for building efficient, scalable Node.js server-side applications. It uses progressive JavaScript, is built with TypeScript and combines elements of OOP (Object Oriented Progamming), FP (Functional Programming), and FRP (Functional Reactive Programming).

muted tendon Nov 5, 2022, 8:40 PM

It is up to you how you handle the JWT on the client side. As you already mentioned you can set the JWT as cookie. An alternative way would be storing the JWT in the browsers local storage. Both ways could lead to security vunerabilities like CSRF or XSS. If you need more information there, feel free to ask.

When generating the JWT you can set how long the JWT should be valid. You can specify it with the expiresIn option when registering the JwtModule, here is the example from the docs:

      secret: jwtConstants.secret,
      signOptions: { **expiresIn: '60s'** },
    }),```

Now to your refresh question: In general you have three options: 1. Make the JWT very very long living (which is not really refreshing but makes refreshing obsolete) or 2. implement a refresh strategy with guards on your own or 3. choose an auth service like Auth0. I would definitely **not** recommend using option 1 due to security concerns.

I hope this helped, just ask if you have further questions 🙂