Assume a case in our assignment,that a ADMIN removes itself from database.
Now the logic i have wrote,allows this removed ADMIN to access authorised endpoints until access-token expires(happens after 1hr)
and then after 1 hr during refresh token rotation it throws 401:Unauthorised as user doesnt not exist anymore.
I want to know what is the best practice to revoke a token and shutdown user's authorised access?
Is it okay to just stick with the logic i have or there can be something more effective for this assignment purpose.
EDIT:Implemented logic which checks whether user exists in DB or not while validating access-token in authorization middleware.Basically using token's claims ,user's document ID will be provided from token to .findByID() method to query in database if this fails then user no longer exists hence user is now unauthorised
Assume a case in our assignment,that a ADMIN removes itself from database. Now the logic i have wrote,allows this removed ADMIN to access authorised endpoints until access-token expires(happens after 1hr) and then after 1 hr during refresh token rotation it throws 401:Unauthorised as user doesnt not exist anymore.
I want to know what is the best practice to revoke a token and shutdown user's authorised access? Is it okay to just stick with the logic i have or there can be something more effective for this assignment purpose.
EDIT:Implemented logic which checks whether user exists in DB or not while validating access-token in authorization middleware.Basically using token's claims ,user's document ID will be provided from token to .findByID() method to query in database if this fails then user no longer exists hence user is now unauthorised