Good morningI always read that in order to invalidate sessions based on JWT or any kind of tokens, is mandatory to keep track of each individual token associated to a user, maybe in memory, maybe in a Redis database.But reading the documentation for the npm package express-jwt , a package that can be used to generate a middleware to protect the API Endpoints, there is a useful feature that lets you get the secret dynamically with a function https://www.npmjs.com/package/express-jwt#multi-tenancySo I was thinking that I can save a different secret for every user, store it on the user record, and when the JWT needs to be verified, just read it from there.When a user requests to revoke all of his active sessions, just change the secret from his database record, and next time that the JWT is used, the verification will fail.What do you think?
Submitted July 01, 2019 at 07:55AM by santypk4
No comments:
Post a Comment