node-jsonwebtoken: "expiresIn" option not working with sequelize object
The token is created but never expires. I am getting the object from a query to a relational db with the sequelize package. Code example:
models.User.findOne({ where: {username: req.body.name} }) //Returns an object user or null
.then(function(user) {
if (user) {
console.log(typeof user); //Logs "object"
// Check if password matches
if (user.password != req.body.pass) {
res.json({ message: 'Authentication failed. Wrong password.' });
} else {
// If user is found and password is right create a token
var token = jwt.sign(
user,
'shhhhh',
{
expiresIn: 60 // expires in 1 minute
}
);
// Shows the token
console.log(token);
}
} else {
console.log("User not found");
}
}).catch(function(error){
whatever...
});
About this issue
- Original URL
- State: closed
- Created 9 years ago
- Comments: 21 (3 by maintainers)
I am using a similar method that works for me, except that I only use only the username as token:
What infos does decoding your token give on http://jwt.io/ ?
I’m using a similar way to sign the token and am occurring the same problem at the moment. Everything works fine, however the token doesn’t seem to expire. I’m storing the token in the localstorage of the browser.
@gugol2 for mongoose documents you should use
jwt.sign(doc.toObject(), {..})
;notice the toObject() call.
I had this problem as well, it is because Mongoose and other libraries extend the stringify/toJSON methods of those model objects. (I dont remember how)
In case of mongoose, its enough for you to call
modelObject.toJSON()
and it solves the issue. Just tested here.I think this library should add some sort of mechanism to verify this, otherwise, lots of developers may be implementing JWT with expirationIn properly, but without knowing it doesnt work. This is basically critical security issue. Obviously this is developer`s fault in the end, but … maybe its good to help everyone out.