JWT expiration processing - single token scheme

For projects with front and rear ends separated jwt As an interface, the security mechanism will encounter jwt Overdue questions .
jwt The expiration time can be set in , Even if it is set to one month , But maybe the user is still using the last second , Next second jwt Expired and called to log in again , This is unacceptable , So it needs to be handled jwt Expiration mechanism .
On this issue, the commonly used method is to use double token——access token and refresh token To deal with it ,access token User authorization ,refresh token It is used to get new after the former expires access token.
here .
I'm here to record my single token programme The idea of .

• Generated when the user logs in token And set expiration time （ Here you can set a shorter time , Such as 30 minute ）, Put this token Return and carry it in the next request for authentication . At the same time we are redis Save the token Refresh flag for ,key by "jwt_token:userId",value For the generated token, And set expiration time （ Here you can set a longer time , Such as 7 God , As the maximum unused time of the user , More than, you need to log in again ）.
• The back end receives the front end request , If you carry token Not expired , Then visit normally .
• The back end receives the front end request , If you carry token Be overdue , Then access is denied and an jwt Expired exception .
• Front end awareness token After expiration, you need to bring expired token visit token Refresh interface , Back end query redis,1）value And token identical ： Generate a new token, Cover value, And refresh value The expiration time of , Back to front ;2）value And token inequality , Refuse to refresh , Users log in again ;3）key non-existent , Refuse to refresh , Users log in again .
• When the user logs in again , Generate a new token, And put redis The corresponding records in , When the user logs off, the redis Delete records in , old token Will expire in a short time and cannot be refreshed .

Compared with double token The plan , single token Method is access token again refresh token, This has the advantage of being insensitive to the front end , The front end only needs to manage token, After the expiration, bring the expired token Recapture .redis The expiration time maintained in is how long the user has not used the time when he must log in .

There is still room for improvement in this method , If in key Add the equipment number field in the , In this way, the coverage problem of multi device login can be solved , You can also manually control logout on different devices .

There may be some thoughtless places , I hope you can give me some advice .