Open vasteez opened 10 months ago
Since it's a JWT everything is encoded within the token so I think no, you need to rely on the jwtOptions "expiresIn" setting to limit the lifetime of the token.
If you really need this feature, you could maintain your a database collection where you store a unique value associated with the token, and call it from the verify callback. I think this function cannot access the token value, but it can access the content of the token and you can shove a unique id within it (a bit convoluted, but possible).
It's probably unsafe to let the link be used multiple times. Can we limit it to once per link?