Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Multiple tokens

See original GitHub issue

Hi, I’m currently using express-jwt as follows:

app.use(expressJwt({
  secret: config.jwtSecret,
  credentialsRequired: false,
  getToken: req => req.cookies.id_token,
}));

I’m using it currently for authentication purposes only: identifying the user. I also want a second token for authorization, with a lower TTL, so a user would have to be authorized more frequently.

How can I offer another token to be extracted to a different property (say, req.roles).

Is what I need makes sense? Is there a better way to achieve what I want? How can this be done using express-jwt? Thanks!

Issue Analytics

State:
Created 6 years ago
Reactions:5
Comments:8 (2 by maintainers)

Top GitHub Comments

1reaction

vidstigecommented, Dec 17, 2020

Yeah, I ran into this exact same thing, and it’s not clear how to combine them in a good way. The thing is if you only have one jwt-express middleware, then it will etiher populate req.user or throw an error. This ensures you do not serve sensitive data unless a valid token is provided. So after considering this, imho, the most sensible semantics would be if one first middlewares you’re combining does not error, you bail out and are happy. If it errors, you go to the next one. Except when it’s the last one, then you want it to error. So a bit messy there. I looked into the connect api and so on, and it’s not clear to me how to do it in a neat way, but I’m sure it can be done.

One workaround I guess, is to do what you did and then have a fifth middleware after that checks that req.user was indeed populated, but feels brittle and furthermore you loose the exact error message (token expired or whatever). 🤔

I made a custom secret provider instead as a workaround for the time being, but that as well comes with drawbacks.

0reactions

JClackettcommented, Dec 17, 2020

@vidstige I don’t need it to throw an error though, just assign the appropriate property on the req object. this seems to be working as I expect? not sure what the best way of combining them would be

Top Results From Across the Web

How to: Use Multiple Security Tokens of the Same Type

To use multiple security tokens of the same type · Create an empty binding element collection to be populated. · Create a SecurityBindingElement ......

Dual-Token Economy/Model (Two- ...

The dual-token economy, also referred to as the dual-token model or system, is a term used for crypto projects that offer two different...

Using multiple token servers

Distributing the tokens across multiple token manager nodes allows more tokens to be managed or retained concurrently, improving performance in situations where ...

Introducing Multiple Shipping Tokens per Account

Logz.io introduces multiple shipping tokens for every account to for sharing tokens, APIs, and of course sending logs!

OAuth 2 Access Token Usage Strategies for Multiple ...

One key question we explore in this blog post series is: Should the application obtain a single access token that is used against...