我正在使用两个 JWT 令牌 -Refresh Token(7 天后过期(和Access Token(15 分钟后过期(。它们存储在httpOnly cookies上,可以通过服务器访问。刷新方法对新令牌进行签名并将其存储在 cookie 上。我需要检查这些令牌在每次请求后是否过期,如下所示:
@Injectable()
export class AuthInterceptor implements HttpInterceptor {
constructor(private authService: AuthService, private cookieService: CookieService) { }
intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
const expirationToken = this.cookieService.get('tokenexp'); // access token expiration
const expirationTokenRefresh = this.cookieService.get('tokenrefexp'); // refresh expiration
// Refresh Token needs to be checked first
if (Number(expirationTokenRefresh) < Date.now()) {
// new refresh token is stored on cookie
this.authService.refreshTokenRefresh();
// this.authService.refreshToken().subscribe(() => { ... });
}
// next we check Access Token
if (Number(expirationToken) < Date.now()) {
// new access token is stored on cookie
this.authService.refreshToken();
// this.authService.refreshTokenRefresh().subscribe(() => { ... });
}
return next.handle(req.clone({
withCredentials: true
}));
}
}
// auth service
refreshToken() {
return this.http.get(`${BACKEND_URL}/refreshtoken`);
}
refreshTokenRefresh() {
return this.http.get(`${BACKEND_URL}/refreshtokenref`);
}以下是Express后端方法:
//routes
const express = require('express');
const router = express.Router();
router.get('/refreshtoken', user.refreshToken);
router.get('/refreshtokenref', user.refreshTokenRefresh);
// refresh access token method
const jwt = require('jsonwebtoken');
const moment = require('moment');
const User = require('../models/user');
exports.refreshToken = wrap(async(req, res, next) => {
const user = await User.findOne({ refresh_token: req.cookies['tokenref'] });
if (user) {
const newToken = await jwt.sign(
{ email: user.email, userId: user._id, role: user.role },
process.env.JWT_Key,
{ expiresIn: '15m' });
const expiresAt = moment().add(900, 'second');
res.cookie('tokenexp', JSON.stringify(expiresAt.valueOf()), { maxAge: 3000000000, secure: true});
res.cookie('token', newToken, { maxAge: 3000000000, secure: true, httpOnly: true });
res.status(200).json({success: true});
} else {
res.status(401).json({success: false, message: 'Sessão expirou.'});
}
});如何使用RxJS Observables使其工作?我可能会发送一个刷新令牌的请求,然后发送另一个刷新第二个令牌的请求,最后发送带有更新 cookie 的原始请求。总之,我可能需要在原始请求之前发送请求。 还有一个问题:AuthInterceptor不应该在请求一两个(令牌(后调用。
使用 mergeMap 按顺序检查令牌的有效性。
return of(Number(expirationTokenRefresh) < Date.now()).pipe(
mergeMap(expire => expire
? this.authService.refreshTokenRefresh()
: of(Number(expirationToken) < Date.now())
),
mergeMap(expire => expire
? this.authService.refreshToken()
: of(true)
),
mergeMap(ok => next.handle(req.clone({ withCredentials: true })))
)