2） 制作一张token黑/白名单
在移除了浏览器存储的token后如果还想要再严格点，就只能在服务器上制作一张已经无效但是没过期的token的黑/白名单了，在每次请求中都操作数据库进行token的匹配，并以某种方式进行维护（不管是黑名单的定期删除维护也好，白名单的无效时删除也好），不过显然这种方式还是违背了token无状态的初衷，但是除此之外也没别的办法 。
存储可以按照userId—token的方式存储在数据库中（当然也可以按你喜欢添加其他字段标明其他信息，比如说mac地址啦，是手机还是电脑啦，设备型号啦，巴拉巴拉巴拉····），白名单的话直接存储有效的token，在需要token无效的逻辑中删除指定token即可（比如刷新token的时候把旧的无效的但未过期的删掉） 。而如果是黑名单的话就需要你定期去删除其中已经过期的token了 。
而验证的话除了要去数据库名单里匹配之外还需要验证token本身的有效性 。
3）只需要将token的过期时间设置的足够短就行了
如何刷新Token（引用自github）static refreshToken = (token): string => {let optionKeys = [\'iat\', \'exp\', \'iss\', \'sub\'];let newToken;let obj = {};let now = Math.floor(Date.now()/1000);let timeToExpire = (token[\'exp\'] - now);if (timeToExpire < (60 * 60)) { //1hfor (let key in token) {if (optionKeys.indexOf(key) === -1) {obj[key] = token[key];}}let options = {expiresIn: \'7 days\',issuer: \'moi\',subject: token.sub,algorithm: \'HS256\'};newToken = JWT.sign(obj, Config.get(\'/jwtSecret\'), options);}else {newToken = \'\';//no need to refresh, do what you want here.}return newToken;}刷新refresh Token的另一种思路（官网）/** * Example to refresh tokens using https://github.com/auth0/node-jsonwebtoken * It was requested to be introduced at as part of the jsonwebtoken library, * since we feel it does not add too much value but it will add code to mantain * we won\'t include it. * * I create this gist just to help those who want to auto-refresh JWTs. */const jwt = require(\'jsonwebtoken\');function TokenGenerator (secretOrPrivateKey, secretOrPublicKey, options) {this.secretOrPrivateKey = secretOrPrivateKey;this.secretOrPublicKey = secretOrPublicKey;this.options = options; //algorithm + keyid + noTimestamp + expiresIn + notBefore}TokenGenerator.prototype.sign = function(payload, signOptions) {const jwtSignOptions = Object.assign({}, signOptions, this.options);return jwt.sign(payload, this.secretOrPrivateKey, jwtSignOptions);}// refreshOptions.verify = options you would use with verify function// refreshOptions.jwtid = contains the id for the new tokenTokenGenerator.prototype.refresh = function(token, refreshOptions) {const payload = jwt.verify(token, this.secretOrPublicKey, refreshOptions.verify);delete payload.iat;delete payload.exp;delete payload.nbf;delete payload.jti; //We are generating a new token, if you are using jwtid during signing, pass it in refreshOptionsconst jwtSignOptions = Object.assign({ }, this.options, { jwtid: refreshOptions.jwtid });// The first signing converted all needed options into claims, they are already in the payloadreturn jwt.sign(payload, this.secretOrPrivateKey, jwtSignOptions);}module.exports = TokenGenerator;测试模块：
/** * Just few lines to test the behavior. */const TokenGenerator = require(\'./token-generator\');const jwt = require(\'jsonwebtoken\');const tokenGenerator = new TokenGenerator(\'a\', \'a\', { algorithm: \'HS256\', keyid: \'1\', noTimestamp: false, expiresIn: \'2m\', notBefore: \'2s\' })token = tokenGenerator.sign({ myclaim: \'something\' }, { audience: \'myaud\', issuer: \'myissuer\', jwtid: \'1\', subject: \'user\' })setTimeout(function () {token2 = tokenGenerator.refresh(token, { verify: { audience: \'myaud\', issuer: \'myissuer\' }, jwtid: \'2\' })console.log(jwt.decode(token, { complete: true }))console.log(jwt.decode(token2, { complete: true }))}, 3000)