Closed tranphuc410 closed 7 years ago
Nope, there should be a smaller expiry on jwt tokens, or you may bake some logic to deny all JWT tokens issued before password change.
This can be done easily by adding another middleware post the auth middleware.
Also I will see what best can be provided to fetch the creation time of the JWT token.
http://adonisjs.com/docs/3.2/authentication#_generate_user
Also generate
method takes the 2nd param as an object that you want to put in the payload. What u can do is send the current date time in the payload and check it to make sure user password was changed after that time or not
auth.authenticator('jwt').generate(user, { issueTimestamp: new Date().getTime() })
And same can be validated when you receive the token
Closing since not actionable and no response from the issue reporter
Is there a way how I can have access to the stored token and can I delete it somehow from there ( without making some kind of a "black list" logic ) ?
Not related to AdonisJs but is related to JWT is a standard https://stackoverflow.com/questions/28759590/best-practices-to-invalidate-jwt-while-changing-passwords-and-logout-in-node-js
I think we should encrypt password into jwt token.