Closed rkoberg closed 8 years ago
If your request succeeds then it means you used the same secret as before and also the role in the jwt token still exists and has access to that table.
Jwt is just base46, you decode it abd look at the exp field. If there is no such field, the token is valid unless the server changed the secret
OK, makes sense.
I have been been rolling back/migrating/seeding often. I create a user with an "admin"-type role that has access to all tables. I rollback the DB and migrate/seed so that there are now no tokens or users present in the DB. If my browser still has a token (from a now nonexistent user), and sends that in the request to a protected resource, the request succeeds. Should that be the case?
Additionally/alternatively, how should you check if a token is still valid in the current version of postgREST? What about the soon :) to be released version? I see https://github.com/begriffs/postgrest/issues/428 but no resolution