Closed gmatev closed 5 years ago
ajmyyra
commented
5 years ago Originally sessions were stored in Redis and it was checked against every authorization decision, but since I've moved to JWTs, having a DB isn't all that necessary. I'll try to get it done this week. :)
gmatev
commented
5 years ago That would be fantastic. Thank you
ajmyyra
commented
5 years ago Version 1.3 is now out with Redis as optional. Currently logged out (blacklisted) tokens aren't cleaned automatically, so if you have millions of logouts, it's good to restart the service from time to time, but it shouldn't be a problem even with those numbers. I'll fix this thoroughly by the time 1.4 will come around.
Have you considered an option to have this available without Redis and have the JWT token only be stored in the cookie? You will not be able to token blacklisting on logout, but this could be ok with short lived tokens and would simplify deployment?