All Articles

A hacky way to disable express-jwt expiry for development

I’m developing a small app in my free time using nodejs and express, while trying out Auth0 as a way to outsource the authentication layer nicely. One problem I face though is as I want to test out my API, which I now typically do via Insomnia (great tool btw), I couldn’t get a long lasting token to test the with.

So I figured out a quick dirty trick to fix this. Jumping through the calls through different node packages for JWT (express-jwt -> jsonwebtoken); I found a clockTimeStamp option.

clockTimestamp: the time in seconds that should be used as the current time for all necessary comparisons.

Simply set the clockTimeStamp value to some small non-zero integer. This will fake the time for the expiry check to think that it’s sometime at the beginning of probably unix time or something.

Some example code / barebones app:

const express = require('express')
const jwt = require('express-jwt')
const jwks = require('jwks-rsa')
require('dotenv').config()

const app = express()

const jwtOptions = {
    secret: jwks.expressJwtSecret({
        cache: true,
        rateLimit: true,
        jwksRequestsPerMinute: 5,
        jwksUri: 'https://some-domain.auth0.com/.well-known/jwks.json',
    }),
    audience: 'http://localhost:3000/api/',
    issuer: 'https://some-domain.auth0.com/',
    algorithms: ['RS256'],
}

// This effectively disables the expiry check
if (process.env['DISABLE_JWT_EXPIRY']) {
    console.log('WARNING: set clockTimeStamp to 0')
    jwtOptions.clockTimestamp = 1
}

let jwtCheck = jwt(jwtOptions)
app.use(express.json())
app.use(jwtCheck)

app.get('/userinfo', (req, res) => {
    res.json(req.user)
})

console.log('Starting on port 4000')
app.listen(4000)

Running it locally now with the DISABLE_JWT_EXPIRY environment variable set I can skip having to get a fresh token. Another alternative would ofc be to just use a different JWT setup for local development, but eh… too lazy :)

Of course, don’t use this anywhere outside local development.

Published Oct 5, 2018

Security Engineer with a dash of software. Originally from Stockholm, now in Berlin. I like to hack things.