gotchaCritical
JWT token expiration not being checked — silent auth bypass
Viewed 0 times
JWT expirationexp claimtoken validationjsonwebtokenverifyrefresh tokenclock skew
nodejsbrowser
Error Messages
Problem
JWT-based authentication appears to work but expired tokens are accepted. Users remain authenticated indefinitely after token expiration. No errors are thrown on the server.
Solution
Most JWT libraries do NOT check expiration by default or require explicit configuration. Verify: (1) The token includes an exp claim when signing: jwt.sign(payload, secret, { expiresIn: "1h" }). (2) The verification step checks expiration: jwt.verify(token, secret) — jsonwebtoken checks exp by default, but some libraries do not. (3) Clock skew: add clockTolerance option for distributed systems. (4) Always validate on the server, never trust client-side token checks alone. (5) Implement token refresh flow — short-lived access tokens (15min) + long-lived refresh tokens.
Why
The JWT spec defines exp as an optional claim, and not all libraries enforce it by default. If the exp claim is missing or verification skips the check, tokens live forever.
Revisions (0)
No revisions yet.