Ensure an isRevoked method is used for tokens
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
ID: javascript-express/jwt-not-revoked
Language: JavaScript
Severity: Warning
Category: Security
CWE: 525
Consider a method to revoke JWTs, especially when they contain sensitive information, to ensure they remain short-lived.
const { expressjwt: jwt } = require("express-jwt")
app.get(
"/protected",
jwt({
secret: "shhhhhhared-secret",
algorithms: ["HS256"]
}),
function (req, res) {
if (!req.auth.admin) return res.sendStatus(401);
res.sendStatus(200);
}
);
import { expressjwt } from "express-jwt";
app.get(
"/protected",
expressjwt({
secret: "shhhhhhared-secret",
algorithms: ["HS256"],
}),
function (req, res) {
if (!req.auth.admin) return res.sendStatus(401);
res.sendStatus(200);
}
);
const { expressjwt } = require("express-jwt")
app.get(
"/protected",
expressjwt({
secret: "shhhhhhared-secret",
algorithms: ["HS256"],
isRevoked: isRevokedCallback,
}),
function (req, res) {
if (!req.auth.admin) return res.sendStatus(401);
res.sendStatus(200);
}
);
import { expressjwt as jwt } from "express-jwt";
app.get(
"/protected",
jwt({
secret: "shhhhhhared-secret",
algorithms: ["HS256"],
isRevoked: isRevokedCallback,
}),
function (req, res) {
if (!req.auth.admin) return res.sendStatus(401);
res.sendStatus(200);
}
);