This is very hard with JWT

This is more of a db based session approach

once user aquires new session you invalidate previous session

for it to work with JWT, you either need to use polling or WS to keep your frontend and backend in sync

when user login, emit a WS event on prev device and log out

An easy solution would be to have valid user sessions on backend with expiration time. If user logs in in another device, his previous sessions are cleaned, invalidating the tokens. For frontend to know about it, it would have to do some request. Easiest way is to query session status every couple minutes. Then if any of the requests returns 401, you can clear the session from local storage. WebSockets are valid too, but it's Pandoras Box of other issues if you care to open it.

Don't want to use websockets, i will need to modify many things then.
And I think polling is not very efficient, or is it?

What i have done right now is:

I made a Sessions table, and I am storing user_id and jwt.

And when a login api is called (username-passwrd provided by user on login page), I am checking if there is already any user_id associated with that username in Sessions table.

If there is, i will invalidate the jwt, and store the new jwt token. (so now device 1 will have invalidated jwt). So any request made frm device 1 wont work.

Is this the best I can do given my current setup?

Yes, i was thinking to use polling, but I thought it won't be very efficient.
Also my userbase is like...most of them would logout before leaving the platform, so auto-logout feature would be for very small users or in-case someone forgots. And I dont want to make unnecessary session-check requests every 30-60sec (or even 5min) for rest of the users.
Am I being reasonable?

TBH, I always use different approach - set valid time on jwt for something like 1 day. It will then auto-clear itself. users will still be able to get session overlap between devices, but in most cases I don't think it is an issue. If you want to be extra aggressive, put jwt into session storage and it will clear itself when the tab is closed.

If you do need active session cleanup, I'd either use polling, or simply let the jwt lie on another device. Once someone comes to it and asks for some data, the app will get 401 anyway, which may force logout on UI.

yes, i want to go with the later approach, jwt will lie on device 1, and when someone asks for some data, it should give 401.

I am almost ready with it.
in login api, i check if there is any previous session for that user, if there is, I simply remove it and then make new jwt and store that in my Session table. (session table keep track of all logged in users: user_id and jwt are stored)

But i also need to invalidate the previous jwt before removing it from Session table, and I am confused how to do it

You cannot, unless you check it always against session table. JWTs are client-side state, so the only way to invalidate it is to keep track of actve tokens in db, remove old when new login happens and check each request against contents of the session table (with some smart caching for speedup)

cant i blacklist my tokens? and store them in some Blacklist-Table in DB?

on login, i will check if there is already any session, and if user wants to logout from previous device, i can simply blacklist that token and it should now give 401

Isn't session table already something that is whitelist in this case? Blacklist table will grow constantly and require cleanup. Whitelist is safer - on request check if jwt is there, if it is, accept, if not, return 401

ohh...yes

just want to clarify...

right now my APIs look like this:

@app.route('/api/get_clients', methods=['GET'])
@jwt_required()
def get_clients():
    current_user = get_jwt_identity()
    if current_user['role'] != 'admin':
        return jsonify({'message': 'Unauthorized'}), 403

    clients = [client.client_name for client in Client.query.all()]

    return jsonify({'clients': clients})

Currently I use @jwt_required() .
So, here, I do an additional check if jwt is present in my Session Table or not. If yes, I proceed with the request, if not, I send 401?

Yes, that's the general idea. Although I don't know if there is an easy way to add it in flask. You could probably write your won jwt_required alternative, that does both jwt_required and additional check in db.

got it sir 🫡

will make a custom decorator, will add 2 things:
- check if jwt is in session table
- then @jwt_required()

and will add that decorator under each API request