Open aarona opened 4 years ago
More info regarding managing per client tokens...
Some fields for each client that might be useful for security purposes:
This information could then be retrieved through a new REST endpoint. The ability to invalidate tokens for a particular client or for all clients would be especially useful.
This feature would add the ability to invalidate any existing JWT tokens by adding a new attribute in the JWT payload to contain a
token_version
that can be changed by the server for any reason.DJA would use this feature when a user resets their password or logs out. Any developer using this library could do this manually by calling something like
user.invalidate_tokens!
. To implement this, a new column in theresource
table would need to be added:token_version
. Then when validating a user with the JWT token, the user would need to be found not only byuid
but also bytoken_version
. If thetoken_version
doesn't match, the request to log in isn't valid either.Maybe in the future a
client
column of typejson
could be used to keep track of a client'stoken_version
so that a particular client could be logged out or invalidated. Then, if a user resets their password something likeuser.invalidate_all_tokens!
could be called which invalidate every client?