We did some research into the best approach for handling logouts securely. Ticket #43
. Please refer to the comments in that ticket for details on possible implementation.
The frontend will be deleting the httpOnly cookie that stores the JWT token when a user logs out. But, for added security, we want to be able to invalidate that token before that token expires.
The plan is that when a user logs out, the frontend will call the "/logout" endpoint in the backend and include the token info in the Authorization header. The backend will then grab the token, decode it, and grab the "JWT id" and calculate when that token expires. It will pass this info to be added to the invalid tokens list in redis.
We will need to create a function that maps to express-jwt's "isRevoked" property, so that it can be used to check whether the current token is invalid or not.
We did some research into the best approach for handling logouts securely. Ticket #43 . Please refer to the comments in that ticket for details on possible implementation.
The frontend will be deleting the httpOnly cookie that stores the JWT token when a user logs out. But, for added security, we want to be able to invalidate that token before that token expires.
The plan is that when a user logs out, the frontend will call the "/logout" endpoint in the backend and include the token info in the Authorization header. The backend will then grab the token, decode it, and grab the "JWT id" and calculate when that token expires. It will pass this info to be added to the invalid tokens list in redis.
We will need to create a function that maps to express-jwt's "isRevoked" property, so that it can be used to check whether the current token is invalid or not.