Im working on an api server (express with mongodb) and implemented JWTs with refresh tokens for authentication.I want to be able to blacklist Tokens, in case someone changes his password, gets hacked or banned.I thought about storing a blacklist in redis, using the jwt as a key. But how would I identify a token by the username then?Users should also be able to be logged in on multiple devices, so I can't use the userid as a key.I guess I would need to store all JWTs of the user in their mongodb document, but then I could just as well use the mongodb as a whitelist, right?Then I would also have to remove expired JWTs from the whitelist. In redis I could just set the expire time, which I would prefer.What would be the cleanest and simplest solution for this?
Submitted February 22, 2020 at 06:38PM by kevgk
No comments:
Post a Comment