I'm developing a web-frontend to configure a hardware device (almost like a router), which runs a nodejs backend to serve an Angular Frontend for Configuration. I use JWT to secure stateless requests to the backend.
One feature is to set the system time via the Frontend, by issuing a command to the backend, which sets the local machine time, to deal with timezones. Problem is, when the time change is more than the 30 minutes in the past, the user gets logged out due to session timeout.
What would be the best way to solve it? My approach was to set the timeout to indefinite, change system time and change the timeout back to 30 min, using a refresh token. Any other ideas? Thanks.
If you ask me, using expiration time in JWT when system time can change does not make sense. So my options would be:
- Do not use expiration time at all
- Use refresh tokens
- Revoke all issued tokens
- Time history: Accept the old tokens by calculating the date they were issued. You can know when a token was issued by adding a unique and incremental jti identifier. When system time changes, store the current jti value and the difference between old and current time
jti - time diff
You can empty the list when the maximum expiration time is exceeded