Open tristanmkernan opened 6 years ago
currently, jwt does not expire. is this ok?
this is a critical bug, it allows arbitrary account takeover. consider:
potential solution: instead of user_id, base tokens off email. not such a problem because we are emailing them the token anyway.
user_id
email
currently, jwt does not expire. is this ok?