H
H
hedoto2021-03-03 22:57:56
JavaScript
hedoto, 2021-03-03 22:57:56

Where are passport.js tokens stored by default?

Hello, I am studying the nest.js framework, I implemented authentication through passport jwt, as described in the manual https://docs.nestjs.com/security/authentication#jw... , everything works.
But the question arose, where are the tokens stored? I also set up a connection to the database with typeorm, at first I thought the tokens were stored there, but I did not find any tables in the database.
I read that the default passport stores them in the application's memory, but how are they saved from application start to start? There are suggestions that they can be stored in the file system?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
@
@Quty, 2021-03-11
_

The JWT is not stored anywhere on the server side. This is its essence. Of course, sometimes they resort to storing JWT in a white / black list of tokens, but these are already details.
JWT in itself should contain sufficient information about the user for his authentication and authorization.
In short, a JWT is a token containing a JSON object with fields embedded in this object when the token was issued, and a signature. The signature is needed so that the server (issuer, issuer) can verify that the token specified during the client's request was actually issued by this (or trusted) server (issuer).
For example, if we take the token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.6-NqQiSlSYgbZ-x31JH6g17DkFiTu04VM6CPiptriB0
then you can see that it consists of three parts, separated by a dot.
The first part eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 is the title. A base64 encoded JSON object containing information about the token itself: the type and encryption algorithm used to obtain the signature. If you decode the string, you get {"alg":"HS256","typ":"JWT"}.
Second part
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
is the payload. JSON object that was generated by the server (issuer) when creating the token. Just like the title is a base64 string. If decoded, then in this example it turns out
{"sub":"1234567890","name":"John Doe","iat":1516239022}

The third part 6-NqQiSlSYgbZ-x31JH6g17DkFiTu04VM6CPiptriB0 is the signature. In this example, the signature is generated using the HS256 algorithm (as indicated in the first part of the token) as follows:
HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  jwt-secret
)

In this case, the secret for JWT signing and validation is the string jwt-secret. The secret key is unknown to the client, so it cannot generate a JWT with any data on its own. More precisely, it can, but it cannot make a valid signature to this data, since it does not know the secret. The server knows the secret, so it can calculate the signature from the first two parts of the token and compare it with the third part.
Usually, the second part of the token (payload) contains, in addition to information about the user, technical information about the token. For example, iat(issued at) is the time the token was issued. Or exp(expiration time) - the time after which the token will expire. JWT libraries use expand when validating a token they give an error if the specified time has already passed.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question