Answer the question
In order to leave comments, you need to log in
Where are passport.js tokens stored by default?
Hello, I am studying the nest.js framework, I implemented authentication through passport jwt, as described in the manual https://docs.nestjs.com/security/authentication#jw... , everything works.
But the question arose, where are the tokens stored? I also set up a connection to the database with typeorm, at first I thought the tokens were stored there, but I did not find any tables in the database.
I read that the default passport stores them in the application's memory, but how are they saved from application start to start? There are suggestions that they can be stored in the file system?
Answer the question
In order to leave comments, you need to log in
The JWT is not stored anywhere on the server side. This is its essence. Of course, sometimes they resort to storing JWT in a white / black list of tokens, but these are already details.
JWT in itself should contain sufficient information about the user for his authentication and authorization.
In short, a JWT is a token containing a JSON object with fields embedded in this object when the token was issued, and a signature. The signature is needed so that the server (issuer, issuer) can verify that the token specified during the client's request was actually issued by this (or trusted) server (issuer).
For example, if we take the token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.6-NqQiSlSYgbZ-x31JH6g17DkFiTu04VM6CPiptriB0
then you can see that it consists of three parts, separated by a dot. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
is the title. A base64 encoded JSON object containing information about the token itself: the type and encryption algorithm used to obtain the signature. If you decode the string, you get {"alg":"HS256","typ":"JWT"}
. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
is the payload. JSON object that was generated by the server (issuer) when creating the token. Just like the title is a base64 string. If decoded, then in this example it turns out{"sub":"1234567890","name":"John Doe","iat":1516239022}
6-NqQiSlSYgbZ-x31JH6g17DkFiTu04VM6CPiptriB0
is the signature. In this example, the signature is generated using the HS256 algorithm (as indicated in the first part of the token) as follows:HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
jwt-secret
)
jwt-secret
. The secret key is unknown to the client, so it cannot generate a JWT with any data on its own. More precisely, it can, but it cannot make a valid signature to this data, since it does not know the secret. The server knows the secret, so it can calculate the signature from the first two parts of the token and compare it with the third part. iat
(issued at) is the time the token was issued. Or exp
(expiration time) - the time after which the token will expire. JWT libraries use exp
and when validating a token they give an error if the specified time has already passed.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question