you can do that by saving the watched movies inside your database (what you propably already doing right now) and then generate and save a token for the share, that the other person enter. This token will be checked against the database and contain information what the user with this token is allowed to watch (for example "the last 2 movies from the history from person X". Or "Read the full history of person X". Or ...)

Yeah that is what I was thinking too. I use JWTs so i can put what permissions that token has in the payload and block access from mutations in the backend.

You only need to encrypt JWTs, when they saved on the client, to block mutations (for example). But you want a shareable solution. Your database can't be mutated from the client. So save the token and the permissions assosiated with the token inside your database, to make it immutable by the client and shareable from the client

how would user tamper with the JWT? The entire point of them is that they can be decoded but not tampered with.

The jwt is just a json object, that is encrypted with a code, that only the server knows. So if the user change this json object, the server can't validate the object anymore. And that means: after the client changed the json object, the object will be invalid

That's just a simple explaination and not the full detail

true. but its on the user that they messed with a token. self healing tokens is not a requirement. If the token has been tampered with, then it is wrong, thats all.

yea, User A (that want to share the watched movies) clicks a button (for example) and that creates this token. User A get this token (maybe directly integrated in an url, so User A can directly share it). User B now get this url (with the token included). User B visits this url. When visiting the server checks if the token is valid and what kind of permissions it has. The page will be rendered based on these permissions.

Of course User B can change this token inside the url. Yea, and then? The url is invalid. Ok, and? So there is no problem to share this token

yep correct.

i think i will go forward with this only

happy to help. Please mark solution

How would I go about revoking these?

Delete them from the table. The table itself may also contain an id to the account from which this token was created, so you can check if the person who want to delete/revoke it, is allowed to do that

JWTs are self contained so they are not stored in the DB at all.

It's not about JWT. It's more about tokens like I described here: https://nextjs-forum.com/post/1260471792594583582#message-1260478037540208711

hmm that would require me to rebuild my entire auth flow. not sure if i want to undertake that

why would you need to rebuild your flow?

The auth flow has nearly nothing to do with the token creation of the movies

its not only movies. users can create collections, create workouts etc and all of them use JWT for authentication

so you are talking about checking permissions on the frontend?

I have a remix frontend and rust backend, connected using graphql

Do you call function for creating a collection or workout or ... in the frontend? I don't think so. I am talking about checking this when calling the function

yeah the frontend is responsible for calling the mutation that creates workouts etc

yea and these mutations are handled serverside, right?

Correct

Thanks for clarifying. So check the permissions inside your functions: https://nextjs-forum.com/post/1260471792594583582#message-1260495928142594078

alright this is the way to go. thanks!

sure thing