search

cybertooth-io / ermahgerd-rails-api-jwt

Rails 5+ API, JWT_Session, Pundit, JSONAPI, Sidekiq, PostgreSQL.
0 stars 0 forks source link

Immediate Flush Of Access Token #7

Closed nadnoslen closed 6 years ago

nadnoslen commented 6 years ago

We already store the RUID inside the database's Session table. When a request to invalidate occurs, we ask JWTSessions::Session to locate the refresh token by RUID and invalidate it. We could at the same time effectively expire/destroy the associated access token as the refresh token maintains a reference to the access token.

If that doesn't work, we could store both the RUID (refresh) & UID (access) in our Sessions table.

Check out https://github.com/tuwukee/jwt_sessions#flush-sessions in the jwt_sessions gem.

nadnoslen commented 6 years ago

Will not fix as we have proven in issue #10 that this is unnecessary as the moment we invalidate the refresh token found at RUID the access token it is paired with is immediately rejected.