How to invalidate a JWT token with no expiry time

Question

Am creating a node.js backend app using JWT. For me the requirement is simple, that the authorization token shouldn't have any expiry time. But I am facing problem during invalidating JWT When user changes his password.

When user changes his password, I will create a new JWT Token, and delete the old token, but still the user can use his old JWT token (from other logged in devices) and can access the application.

So can anyone tell me how to avoid this scenario?

Answer 1

Looks like a familiar question to me, I have already answered the similar question Best practices to Invalidate a JWT Token .

So the steps for solving ur problem as follows,

when user login, create a login token in his user database with no expiry time.

Hence while invalidating a JWT, follow the below steps,

• retrieve the user info and Check whether the token is in his User database. If so allow.
• When user logs out, remove only this token from his user database.
• When user changes his password, remove all tokens from his user database and ask him to login again.

So basically you need to store tokens in user's database and make use of it while invalidating. Simple :)

Answer 2

The exp claim of a JWT is optional. If a token does not have it it is considered that it does not expire

According to documentation of https://www.npmjs.com/package/jsonwebtoken the expiresIn field does not have a default value either, so just omit it.

var token = jwt.sign({email:'[email protected]',role:'User'}, "Secret", {});

---