Explore options for token invalidation

[HeroicKatora]

Project Improvement

Self-encoded tokens suffer from not being revokable at all. At the same time, the storage backend does not yet remove expired tokens from memory and offers no interface for manually invalidating an existing token.

Both aspects are worth exploring as a security improvement, and even reducing memory footprint for the storage case. A first idea is to sweep the token store after some timer has expired or on the next mutable access after a timepoint.

This is open for suggestions and discussion.

Tracking pull request

• [ ] A pull request does not yet exist