express-mongoose-es6-rest-api
express-mongoose-es6-rest-api copied to clipboard
kunalkapadia
[Question] How to implement logout?
I believe you would need to create a black list/removed it from the client side. Here is a github discussion: http://stackoverflow.com/questions/21978658/invalidating-json-web-tokens
A good idea would be to set a reasonable time to live for the token.
jwt.sign({some: data}, config.mySecret, { expiresIn: '1d' });
@TheHollidayInn As per your solution if we save tokens id DB then we have to check it's availability on every request. It will incur overhead on server. And also we will loose statelessness.
@osahner If we set expiration time and in between client log out then our token is still valid until 1 day. also suppose I delete the token from client's localstorage still somebody has the token by any means , that token still valid for 1 day even if it's deleted from client
@nareshtank001 JWT is lightweight by design. You have to handle token expiration by your own.
Actually I just implemented a blacklist solution using https://www.npmjs.com/package/express-jwt-blacklist And Redis
The library used also has an option to check revoked: https://github.com/auth0/express-jwt under "Revoked tokens". Could be used in combination with the blacklist library.
There is a nice writeup by auth0 about signing and revoking.
https://auth0.com/blog/blacklist-json-web-token-api-keys/
im using a sessionid to create tokens that you can delete, the point on this is to create sessions in different devices and you can store the sessions on a db like redis or mongo itself, in redis you can create the keys with expiration, and the idea is for the user to see the created sessions and delete in case a device not longer need to access the account.
something like this in the jwt
{ username: "<username>", sid: "<session id>" }
