douju1953 2016-03-29 18:59
浏览 774
已采纳

Golang和JWT-简单注销

I'm currently working on an API and after a bit of time, I now understand how to use JWT in Go to get a token. With this token, I can keep a user connected but, how can I logout from the client application?

Here is my token.go code:

package main

import (
    "github.com/dgrijalva/jwt-go"
    "time"
)

const (
    tokenEncodeString = "something"
)

func createToken(user User) (string, error) {
    // create the token                                                                                                                                                                                  
    token := jwt.New(jwt.SigningMethodHS256)

    // set some claims                                                                                                                                                                                   
    token.Claims["username"] = user.Username;
    token.Claims["password"] = user.Password;
    token.Claims["exp"] = time.Now().Add(time.Hour * 72).Unix()

    //Sign and get the complete encoded token as string                                                                                                                                                  
    return (token.SignedString([]byte(tokenEncodeString)))
}

func parseToken(unparsedToken string) (bool, string) {
    token, err := jwt.Parse(unparsedToken, func(token *jwt.Token) (interface{}, error) {
            return []byte(tokenEncodeString), nil
    })

    if err == nil && token.Valid {
            return true, unparsedToken
    } else {
            return false, ""
    }
}

After research, I found out that I can use a black list, but I really want to know if it's possible with something easier, like the code above.

I also want to find a solution that works with the memory used by the JWT process. Someone who disconnects/connects himself all the time has to have only one token for each session, not one for him and a hundred in a given black list.

  • 写回答

1条回答 默认 最新

  • douchaqi3369 2016-03-29 21:45
    关注

    First: Don't (ever) put sensitive credentials in the token. They are not encrypted, and you shouldn't need to do that.

    To note:

    • JWTs are stateless: you issue one, and it lives as long as you have allowed/are validating against on the server.
    • You could issue a new JWT with an expiry of 'now', but the old JWT would still be valid (i.e. a security risk).
    • Read through http://jwt.io/introduction/

    If you need control over expiring access tokens after issuance, then you should implement a server-side scheme, which would allow you to expire tokens directly. The user would only hold an ID that references the server-side store.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 UE5样条线生成的网格UV问题
  • ¥15 如何用最短的时间大致看懂springboot+vue的项目
  • ¥15 (有偿)懂数值分析和含时变参数微分方程的来
  • ¥15 layui父页的数据表格如何用弹窗页提交后的查询数据来更新数据表格内容?
  • ¥15 abaqus随机生成二维颗粒
  • ¥15 安装ansys许可证管理器时出现了这个问题,如何解决?
  • ¥100 高价求算法,利用智能手机传感器计算车辆的三轴g值
  • ¥15 Blazor server 数据库操作异常,如何解决?(语言-c#)
  • ¥15 uni-app开发APP运行到浏览器访问接口跨域
  • ¥100 mfc消息自创建控件