notramo
commented
11 months ago Any thoughts on this?
Open notramo opened 1 year ago
notramo
commented
11 months ago Any thoughts on this?
jwoertink
commented
11 months ago I'm not familiar with how this works, but it sounds like a nice idea to add. I'd be open to a PR. Probably would have to go in https://github.com/luckyframework/authentic ?
mdwagner
commented
10 months ago A simple solution, if you're already using JWTs, is to just store the JWTs in the database and validate them on every API endpoint. Obviously, this defeats the purpose of JWTs, but it would gain the ability to revoke them.
Could you provide more context on what you're looking for?
robacarp
commented
10 months ago One scenario which would require a system to provide a removal of existing sessions is this. When your account is suspected of compromise, it's important to be able to log out all existing sessions before changing your password. Otherwise, someone who is logged in can easily stay logged in.
Lucky does not have a way to revoke API authentication JWT token. While the clients can delete it themselves, force-logout (e.g. lost device) is not possible.
Worth reading: https://evertpot.com/jwt-is-a-bad-default/
What about providing a database-based session too?