Example of refreshing tokens with jwt

token-generator.js

/**
 * Example to refresh tokens using https://github.com/auth0/node-jsonwebtoken
 * It was requested to be introduced at as part of the jsonwebtoken library,
 * since we feel it does not add too much value but it will add code to mantain
 * we won't include it.
 *
 * I create this gist just to help those who want to auto-refresh JWTs.
 */

const jwt = require('jsonwebtoken');

function TokenGenerator (secretOrPrivateKey, secretOrPublicKey, options) {
  this.secretOrPrivateKey = secretOrPrivateKey;
  this.secretOrPublicKey = secretOrPublicKey;
  this.options = options; //algorithm + keyid + noTimestamp + expiresIn + notBefore
}

TokenGenerator.prototype.sign = function(payload, signOptions) {
  const jwtSignOptions = Object.assign({}, signOptions, this.options);
  return jwt.sign(payload, this.secretOrPrivateKey, jwtSignOptions);
}

// refreshOptions.verify = options you would use with verify function
// refreshOptions.jwtid = contains the id for the new token
TokenGenerator.prototype.refresh = function(token, refreshOptions) {
  const payload = jwt.verify(token, this.secretOrPublicKey, refreshOptions.verify);
  delete payload.iat;
  delete payload.exp;
  delete payload.nbf;
  delete payload.jti; //We are generating a new token, if you are using jwtid during signing, pass it in refreshOptions
  const jwtSignOptions = Object.assign({ }, this.options, { jwtid: refreshOptions.jwtid });
  // The first signing converted all needed options into claims, they are already in the payload
  return jwt.sign(payload, this.secretOrPrivateKey, jwtSignOptions);
}

module.exports = TokenGenerator;

token-generator.tester.js

/**
 * Just few lines to test the behavior.
 */

const TokenGenerator = require('./token-generator');
const jwt = require('jsonwebtoken');

const tokenGenerator = new TokenGenerator('a', 'a', { algorithm: 'HS256', keyid: '1', noTimestamp: false, expiresIn: '2m', notBefore: '2s' })
token = tokenGenerator.sign({ myclaim: 'something' }, { audience: 'myaud', issuer: 'myissuer', jwtid: '1', subject: 'user' })
setTimeout(function () {
  token2 = tokenGenerator.refresh(token, { verify: { audience: 'myaud', issuer: 'myissuer' }, jwtid: '2' })
  console.log(jwt.decode(token, { complete: true }))
  console.log(jwt.decode(token2, { complete: true }))
}, 3000)

@TriStarGod Interesting. I never thought about the internals of RSA and was thinking about crypto in general. I do not know whether this would be possible with other algorithms as well. But anyway your initial message may confuse someone to use public/private incorrectly, so it may be worth to update that answer.

I am not able to extract out

delete payload.iat;
delete payload.exp;
delete payload.nbf;

It seems this values does not exist on payload, is there some other way I can delete the old token and generate new one, or can someone help me on what I am missing.

@TriStarGod

yes your reasoning is correct but what actually happens is when there is a communication between A and B, they at the beginning shares their respective public keys with each other.

so when A sends some data it has to be first encrypted using A's private key(inner encryption layer) + then encrypted using B's public key(as outer encryption layer) .
that's why while on B's side first the data has to be decrypted using B's private key (to decrypt outer encryption layer since it was encrypted using B's public key) + then only one can use A's public keys to decrypt the inner encryption layer.

that's how even if other people have the public key of A , cannot decrypt the data on the public key alone.

yeah, this confirms that the data was indeed encrypted (signed) by A, since only A's private key could have produced something decryptable with A's public key.

so, when a refresh token is auto generated, does it have two parts ie the refresh token and access token within it or. clarify