There is no way to force-logout JWT tokens #1810
Comments
|
Any thoughts on this? |
|
I'm not familiar with how this works, but it sounds like a nice idea to add. I'd be open to a PR. Probably would have to go in https://github.com/luckyframework/authentic ? |
jwoertink
added
feature request
|
A simple solution, if you're already using JWTs, is to just store the JWTs in the database and validate them on every API endpoint. Obviously, this defeats the purpose of JWTs, but it would gain the ability to revoke them. Could you provide more context on what you're looking for? |
|
One scenario which would require a system to provide a removal of existing sessions is this. When your account is suspected of compromise, it's important to be able to log out all existing sessions before changing your password. Otherwise, someone who is logged in can easily stay logged in. |
Lucky does not have a way to revoke API authentication JWT token. While the clients can delete it themselves, force-logout (e.g. lost device) is not possible.
Worth reading:
https://evertpot.com/jwt-is-a-bad-default/
What about providing a database-based session too?
The text was updated successfully, but these errors were encountered: