Express JWT - how do I invalidate current active access token
Answered
Rhinelander posted this in #help-forum
RhinelanderOP
Once user logins access and refresh token are generated. Refresh token gets added to the db. When user tries to access protected resource middleware runs and check if token is valid. Once access token expires you can generate new access token with refresh token on "/auth/token" route. When I call "/logout" route refresh token gets deleted from the db. But when i try to go to protected resource i can still access it with my current access token that expires in 15 min. But when person wants to logout i don't want to allow them to access protected resources. I read that I should blacklist my current access token but not sure how to do that.
Answered by iyxan23
well in that case you should just remove the access token after the user logged out
9 Replies
@Rhinelander Once user logins access and refresh token are generated. Refresh token gets added to the db. When user tries to access protected resource middleware runs and check if token is valid. Once access token expires you can generate new access token with refresh token on "/auth/token" route. When I call "/logout" route refresh token gets deleted from the db. But when i try to go to protected resource i can still access it with my current access token that expires in 15 min. But when person wants to logout i don't want to allow them to access protected resources. I read that I should blacklist my current access token but not sure how to do that.
there's no way of working around that, the reason this refresh-token method exists is to reduce the overhead of doing database queries on every request to authorize.
you can either reduce the refresh time to something like 5 minutes. or from what I could understand from your question, you don't seem to remove the jwt token after the user logged out?
you can either reduce the refresh time to something like 5 minutes. or from what I could understand from your question, you don't seem to remove the jwt token after the user logged out?
RhinelanderOP
I remove refresh token but if user logs in and tries to log out they can't as current access token is still active. Reducing to lower time won't help unless it is couple of seconds but that defeats the purpose of JWT. I've read about blacklisting access token but apart from that i haven't found any other solutions
should i just remove the token from local storage when logging out?
well in that case you should just remove the access token after the user logged out
Answer
RhinelanderOP
User would still be able to access programatically but that will probably be no one
it does take a while to invalidate but that's just how it is
RhinelanderOP
Thanks
good luck