node-jsonwebtoken: "expiresIn" option not working with sequelize object

The token is created but never expires. I am getting the object from a query to a relational db with the sequelize package. Code example:

models.User.findOne({ where: {username: req.body.name} }) //Returns an object user or null
.then(function(user) {
    if (user) {
        console.log(typeof user); //Logs "object"
        // Check if password matches
        if (user.password != req.body.pass) {
            res.json({ message: 'Authentication failed. Wrong password.' });
        } else {
            // If user is found and password is right create a token
            var token = jwt.sign(
                user, 
                'shhhhh', 
                {
                    expiresIn: 60 // expires in 1 minute
                }
            );

            // Shows the token
            console.log(token);
        }   
    } else {
        console.log("User not found");
    }

}).catch(function(error){
    whatever...
}); 

About this issue

  • Original URL
  • State: closed
  • Created 9 years ago
  • Comments: 21 (3 by maintainers)

Most upvoted comments

I am using a similar method that works for me, except that I only use only the username as token:

    User.findOne({username: username}, (err, user) => {
      if (err) {
        return done(err, false);
      }
      if (!user) {
        return done(null, false, {message: 'Invalid credentials'});
      }
      bcrypt.compare(password, user.password, (err, isMatching) => {
        if (err) {
          return done(err, false);
        }
        if (!isMatching) {
          return done(null, false, {message: 'Invalid credentials'});
        }

        var token = jwt.sign({user: user.username}, config.secrets.jwt, {
          expiresIn: '10m',
          algorithm: 'HS256'
        });
        user.token = token;
        User.update({_id: user._id}, {token: user.token, reauth: false}, () => {
          user = _.pick(user, ['username', 'token']);
          return done(null, user);
        });
      });
    });

What infos does decoding your token give on http://jwt.io/ ?

I’m using a similar way to sign the token and am occurring the same problem at the moment. Everything works fine, however the token doesn’t seem to expire. I’m storing the token in the localstorage of the browser.

@gugol2 for mongoose documents you should use jwt.sign(doc.toObject(), {..});

notice the toObject() call.

I had this problem as well, it is because Mongoose and other libraries extend the stringify/toJSON methods of those model objects. (I dont remember how)

In case of mongoose, its enough for you to call modelObject.toJSON() and it solves the issue. Just tested here.

I think this library should add some sort of mechanism to verify this, otherwise, lots of developers may be implementing JWT with expirationIn properly, but without knowing it doesnt work. This is basically critical security issue. Obviously this is developer`s fault in the end, but … maybe its good to help everyone out.