Closed shubham1164 closed 5 years ago
ghost
commented
5 years ago In your case, you can show your users all unexpired tokens which he/she has (saving user token). By that way, the user can revoke any token they want as other apps do. My library is outdated and you can use Redis to revoke the token with expired time. I will update it soon. Thank you.
shubham1164
commented
5 years ago If I understand your solution correctly, user can revoke any token and if he found that his token is compromised he must revoke it.
I am using this node library for generating/verifying the JWTs. But there is no doc explaining how to revoke it. Can you guide me?
ghost
commented
5 years ago The library doesn't have revoke function, this is the reason why this library was born.
shubham1164
commented
5 years ago Can you recommend any other better way of solving the issue as of today?
ghost
commented
5 years ago you can use Redis to revoke token.
shubham1164
commented
5 years ago You mean by using Redis ( in-memory data storage) with blacklist feature?
ghost
commented
5 years ago you can save revoked token in Redis and check it when user login.
shubham1164
commented
5 years ago Thanks :)
I have a case, please let me know if I should use it or not?
I am working on a Mobile (Android/IOS) app with backend as Node.js for API. I authenticate the user on mobile (via OTP on email) and then the user continue to login for lifetime. Now If the user lost his/her phone, then I must re-authenticate the user again (via OTP on email) on another phone. This should also logout from the previous (or lost) phone.
Can I use your jwt-blacklist for my case? If yes, how much expiry time should I use for it?