long run, we need address a core issue with JWT's: statelessness
The problem is that if a user logs out, i.e. their token shouldn't be used anymore, the token itself doesn't carry this information. This means we need to create a blacklist of tokens that are no longer valid. This introduces state, however! This means on protected routes, we would need to ensure a token being used is not blacklisted yet, which is a fairly costly operation when done at scale.
Consequentially, we need to revisit the usage of traditional cookie based tokens vs JWT.
long run, we need address a core issue with JWT's: statelessness
The problem is that if a user logs out, i.e. their token shouldn't be used anymore, the token itself doesn't carry this information. This means we need to create a blacklist of tokens that are no longer valid. This introduces state, however! This means on protected routes, we would need to ensure a token being used is not blacklisted yet, which is a fairly costly operation when done at scale.
Consequentially, we need to revisit the usage of traditional cookie based tokens vs JWT.