Closed tranphuc410 closed 7 years ago
thetutlage
commented
7 years ago Nope, there should be a smaller expiry on jwt tokens, or you may bake some logic to deny all JWT tokens issued before password change.
This can be done easily by adding another middleware post the auth middleware.
Also I will see what best can be provided to fetch the creation time of the JWT token.
thetutlage
commented
7 years ago http://adonisjs.com/docs/3.2/authentication#_generate_user
Also generate method takes the 2nd param as an object that you want to put in the payload. What u can do is send the current date time in the payload and check it to make sure user password was changed after that time or not
auth.authenticator('jwt').generate(user, { issueTimestamp: new Date().getTime() })And same can be validated when you receive the token
thetutlage
commented
7 years ago Closing since not actionable and no response from the issue reporter
GencBlakqori
commented
6 years ago Is there a way how I can have access to the stored token and can I delete it somehow from there ( without making some kind of a "black list" logic ) ?
thetutlage
commented
6 years ago Not related to AdonisJs but is related to JWT is a standard https://stackoverflow.com/questions/28759590/best-practices-to-invalidate-jwt-while-changing-passwords-and-logout-in-node-js
I think we should encrypt password into jwt token.