Menu
How can I invalidate the JWT token when a user clicks the logout button? I have done some research but I was not able to find any good implementation.
267
You were not able to find any way to "expire" JWT because there is no such way. We can say it's a drawback of JWT.
If the token is compromised, then it's a huge problem. You might want to consider other auth mechanism if you need to invalidate tokens/sessions.
The only way to "invalidate" such a token would be to use other secret key on backend - which is obviously an exceptionally horrible idea!
However, if you are looking for a way to "log out" user on frontend, simply clear the JWT from the storage. (Still, if that user copied the token, he will be able to execute requests against rest api).
173
One option is to just have a bannedUsers table. You could possibly even cache this table. If a users account ever becomes compromised, you can just add them to the table until their token expires. It would be a lookup everytime (unless cached), but there would most likely always be 0 records on the table so it would be very fast.
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
