Ability to invalidate tokens in the wild.

[aarona]

This feature would add the ability to invalidate any existing JWT tokens by adding a new attribute in the JWT payload to contain a token_version that can be changed by the server for any reason.

DJA would use this feature when a user resets their password or logs out. Any developer using this library could do this manually by calling something like user.invalidate_tokens!. To implement this, a new column in the resource table would need to be added: token_version. Then when validating a user with the JWT token, the user would need to be found not only by uid but also by token_version. If the token_version doesn't match, the request to log in isn't valid either.

Maybe in the future a client column of type json could be used to keep track of a client's token_version so that a particular client could be logged out or invalidated. Then, if a user resets their password something like user.invalidate_all_tokens! could be called which invalidate every client?

[aarona]

More info regarding managing per client tokens...

Some fields for each client that might be useful for security purposes:

• IP Address of each client
• Client label like "Home" and possibly some UserAgent information like what type of OS or Device.
• Last time user logged in from that client etc... stuff that I often see from other services.

This information could then be retrieved through a new REST endpoint. The ability to invalidate tokens for a particular client or for all clients would be especially useful.