Open egeldenhuys opened 6 years ago
Currently if a user's password is changed, all their valid tokens still remain valid.
I propose checking when the user record was last updated (Sequelize has this field already) and comparing it with the iat in the token.
iat
This will also invalidate tokens when other fields such as roles are changed, although me might need to set the updated at manually for the user.
updated at
Currently if a user's password is changed, all their valid tokens still remain valid.
I propose checking when the user record was last updated (Sequelize has this field already) and comparing it with the
iatin the token.This will also invalidate tokens when other fields such as roles are changed, although me might need to set the
updated atmanually for the user.