使用 JWT 验证刷新令牌和访问令牌

让我解释一下我的情况。我目前没有任何数据库。但我编写了一个简单的 server.js 文件，并向它发送了我的请求（我使用

node server.js

运行 server.js）。我想为我的项目实现用户登录功能。这是我的 server.js 源代码：

// Sample tokens for simplicity (use a library for real token generation)
const secretKey = 'yourSecretKey'; // Replace with a secure secret key
const accessTokenExpiration = '1h'; // Access token expiration time (e.g., 1 hour)
const refreshTokenExpiration = '7d'; // Refresh token expiration time (e.g., 7 days)




// Sample user data for authentication      =================================================
const users = [
  { id: 1, username: '[email protected]', password: '123456' },
  // Add more users as needed
];

// Sample tokens for simplicity (use a library for real token generation)
const accessToken = 'sampleAccessToken';
const refreshToken = 'sampleRefreshToken';

// Endpoint for user authentication

app.post('/auth/token', (req, res) => {
  const { grant_type, client_id, client_secret, username, password, refresh_token } = req.body;

  // Validate client_id and client_secret if needed

  // Check if grant_type is 'password' for user login
  if (grant_type === 'password') {
    // Find the user based on the provided username and password
    const user = users.find(u => u.username === username && u.password === password);

    if (user) {
      // Generate access token
      const accessToken = jwt.sign({ userId: user.id, username: user.username }, secretKey, { expiresIn: accessTokenExpiration });

      // Generate refresh token
      const refreshToken = jwt.sign({ userId: user.id, username: user.username }, secretKey, { expiresIn: refreshTokenExpiration });

      // Return tokens if user is found
      res.json({
        token_type: 'Bearer',
        expires_in: accessTokenExpiration,
        access_token: accessToken,
        refresh_token: refreshToken,
      });
    } else {
      // Return an error if user is not found
      res.status(404).json({ error: 'Invalid credentials' });
    }
  } else if (grant_type === 'refresh_token') {
    // Check if the provided refresh token is valid (use your logic for validation)
    // For simplicity, let's assume all refresh tokens are valid

    // Generate new access token
    const newAccessToken = jwt.sign({ /* Include relevant user information */ }, secretKey, { expiresIn: accessTokenExpiration });

    // Generate new refresh token
    const newRefreshToken = jwt.sign({ /* Include relevant user information */ }, secretKey, { expiresIn: refreshTokenExpiration });

    // Return new tokens
    res.json({
      token_type: 'Bearer',
      expires_in: accessTokenExpiration,
      access_token: newAccessToken,
      refresh_token: newRefreshToken,
    });
  } else {
    // Return an error for unsupported grant_type
    res.status(400).json({ error: 'Unsupported grant_type' });
  }
});





// Sample user data for registration
const registeredUsers = [];

// Endpoint for user registration
app.post('/user/register', (req, res) => {
  const { email, password } = req.body;

  // Check if the email is already registered
  const existingUser = registeredUsers.find(u => u.email === email);
  if (existingUser) {
    return res.status(400).json({ error: 'Email already registered' });
  }

  // Register the new user
  const newUser = { id: registeredUsers.length + 1, email, password };
  registeredUsers.push(newUser);

  // You might want to generate an access token for the registered user here

  // Return a success message
  res.json({ message: 'User registered successfully', user: newUser });
});




// Start the server
app.listen(PORT, () => {
  console.log(`Server is running on http://localhost:${PORT}`);
});

如你所见，我没有密钥。我还在应用程序中定义了一个 client_secret，但我不知道到底从哪里获取它:)...无论如何...这不是很重要。

使用此 server.js 我可以登录用户并接收 access_token 和 refresh_token。但我不知道如何验证它并更新刷新令牌和访问令牌。我希望当以前的访问令牌过期时，用户将收到新的刷新令牌和使用以前的刷新令牌的新访问令牌。我阅读了一些有关 JWT 和验证方法的文档。但我无法实现正确的逻辑来执行此操作。 我的主要问题是这部分代码：

else if (grant_type === 'refresh_token') {
    // Check if the provided refresh token is valid (use your logic for validation)
    // For simplicity, let's assume all refresh tokens are valid

    // Generate new access token
    const newAccessToken = jwt.sign({ /* Include relevant user information */ }, secretKey, { expiresIn: accessTokenExpiration });

    // Generate new refresh token
    const newRefreshToken = jwt.sign({ /* Include relevant user information */ }, secretKey, { expiresIn: refreshTokenExpiration });

    // Return new tokens
    res.json({
      token_type: 'Bearer',
      expires_in: accessTokenExpiration,
      access_token: newAccessToken,
      refresh_token: newRefreshToken,
    });
  } else {
    // Return an error for unsupported grant_type
    res.status(400).json({ error: 'Unsupported grant_type' });
  }
});

我不知道验证的正确逻辑，也

Include relevant user information

。请帮助我:)!!!...如果您知道有关此过程的任何其他信息，请告诉我。谢谢！

我还使用邮递员来测试我的请求和响应。我发送此 HTTP POST 请求：

[{"key":"grant_type","value":"refresh_token","type":"text","equals":true},{"key":"refresh_token","value":"上一个refresh_token这是从登录响应中接收的。","type":"text","equals":true},{"key":"client_id","value":"2","type":"text", "equals":true},{"key":"client_secret","value":"[ 哈希码 ]","type":"text","equals":true}].

我得到了这个状态代码（400）：

{
    "error": "Unsupported grant_type"
}

const express = require("express");
const app = express();
const bodyParser = require("body-parser");
const jwt = require("jsonwebtoken");

const secret = "yourSecretKey";

app.use(express.json());
app.use(bodyParser.urlencoded({ extended: true });

app.post("/generate-token", (req, res) => {

   const userId = req.body.user_id;
   jwt.sign({ user_id: userId }, secret, { expiresIn: "1h" }, (err, token) => {
      if (!err && token) {
         res.status(200).json({ token: token });
      }
   });
});

app.post("/verify-token", (req, res) => {

   const token = req.body.token;
   jwt.verify(token, secret, (err, user) => {
      if (!err && user) {
         res.status(200).json({ token: token, user: user });
      }
   });
});

const PORT = 3000;

app.listen(PORT, "127.0.0.1", () => {
   console.log(`Server running on ${PORT}`);
});