mikenicholson
commented
7 years ago You can't invalidate a JWT after it is issued in any sane way that doesn't violate the purpose of a JWT.
The purpose of using a JWT is to achieve stateless auth. You could conceivably store the JWT in a blacklist in your database and check each JWT against the blacklist after validating it. This is a bad idea since you've added state and a database lookup to each api call which is exactly what the JWT is trying to avoid.
The best solution for something like this is to issue JWT's with a relatively short expiration time and force the client to renew the JWT at a regular interval using something like a refresh token. These schemes are not supported by this library and you would have to implemented them yourself or use another solution like auth0. This library only provides JWT validation for passport and leaves the rest of the authentication scheme up to the user.
zeeskhan1990
Hi, Thanks for the great library. I have just started setting up an authentication mechanism for a react-native app that am currently working on, and this library has helped in streamlining the whole JWT authentication part.
But there's one scenario that I am not very sure about how to handle it, and that is the token invalidation. I want the token to be invalidated on user logout, so that any further api calls using that token fails. What should be the suggested way to solve this problem?