Visitor Authentication using Node - Cookie token

[DmitrijBuckovsky]

Hi,

I’ve implemented Visitor Authentication using Node and Auth0. Everything is working, and I can manage access to GitBook pages according to Auth0 roles (which are included in the Auth0 JWT).

However, if I make changes on the Auth0 side (e.g., remove a role from a user) and call /login (a route provided by the express-openid-connect library) or wait until the Auth0 access token expires, GitBook does not reauthenticate me. I think it maintains its own session using the cookie gitbook-visitor-token~xxxxxx. I believe GitBook does not call the Fallback URL to reauthenticate with Auth0 until this cookie expires. If I delete this cookie via Developer Tools and refresh the secured page, the login process starts again.

Is it possible to ‘logout’ from GitBook as well? Or is there a way to delete or modify the cookie’s max-age (currently set to 7 days)?

[SamyPesse]

There is no direct way to logout a user, but there are 2 options you can explore:

1. Controlling the expiration date of the JWT token. This expiration date defines how long the cookie will be used. If you know you are often changing user information in Auth0, it could be worth using a lower-value
2. Redirecting the user with a new ? jwt_token in the URL. Every time a new jwt_token is passed in the URL, it takes priority over the cookie. The fallback URL is only used if no jwt_token is passed in the URL and no cookie has been stored.

[DmitrijBuckovsky]

Thanks for the response.

Controlling the expiration date with JWT would be great. However, it doesn't seem to take into account the value in the JWT expiresIn parameter.

I set expiration of JWT to 10 min like this:

    const token = jwt.sign({}, process.env.GITBOOK_SIGNING_KEY, { expiresIn: '10m' });
    const redirectURL = `${process.env.GITBOOK_BASE_URL}/${page}/?jwt_token=${token}`;
    res.redirect(redirectURL);

My cookie contains these data:

{
    "basePath":"/stay-tuned/",
    "token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MzMxNDcwMzYsImV4cCI6MTczMzE0NzYzNn0.qJDtTvWRpkW2SIriZ7rFAkRVqZ-B8C2SdabL8QiMtUQ"
}

When I parse JWT, exp value is correctly 10min after iat, but when I try to access the secured page after expiration date the Fallback URL is not called (Auth0 login is not initialized). Fallback URL is called after an hour or so.

Is there some minimum value for expiresIn? Or maybe I'm missing some parameter in JWT?