Unclear place in use

[seth-shi]

Hello, recently learning this bag, easy to use, thank you for your efforts. Want to know where the generated token is stored? I tracked down the source code and didn't find the storage token. it was just a piece of data stored in/storage/cache/framework/cache/data

[jampack]

The tokens are stateless that means they are not stored anywhere on the server but the token itself contains all the information necessary to identify a user.

[veshraj]

@akkhan20 agree with you. But I have one doubt. Suppose token issued at login and this should not work after refreshing the token. In this scenario how jwt determine token before refresh is invalid.

[tuanpht]

@veshraj If blacklist is enabled[1], old token will be stored in blacklist storage [2], which actually is Larave Cache storage [3]

[1] https://github.com/tymondesigns/jwt-auth/blob/63698d304554e5d0bc3eb481cc260a9fc900e151/config/config.php#L223

[2] https://github.com/tymondesigns/jwt-auth/blob/63698d304554e5d0bc3eb481cc260a9fc900e151/src/Manager.php#L131-L132

[3] https://github.com/tymondesigns/jwt-auth/blob/63698d304554e5d0bc3eb481cc260a9fc900e151/config/config.php#L300

[Niush]

@tuanpht That means, php artisan cache:clear will clear all the blacklisted tokens ? or Not ?

[nullifiedaccount3]

@Niush Yes, once the cache is cleared, blacklisted tokens are cleared as well.

[geneowak]

@Niush Does that mean that once cleared then the formerly blacklisted tokens become active again? If so; is there another way of invalidating a token without waiting for it to expire?

[nullifiedaccount3]

@geneowak store the blacklisted keys in a DB like MySQL. Or change your JWT signing key.

[ihamzehald]

@geneowak Changing the JWT signing key will invalidate all your active keys, I don't recommend to do that, what I recommend is to store your blacklisted tokens in a DB not in the cache.

[geneowak]

@ihamzehald, do Tymon tokens support timestamp expiry? For example, can one specify that a given token should expire x mins so that whether it is blacklisted or not, it's no longer valid after the given time (I think that would mean that the time of expiry is part of the information put in the token). That would be greatly helpful security wise since you don't have to worry about storing all the tokens the system has ever generated and tokens being stolen (since the thief won't have too much time with it).

Quick question: When a user changes his password, Does that invalidate the tokens created with the previous password?

[Niush]

@geneowak Yes, there is expiry date (exp) that can be set when creating the jwt token. But, storing the active tokens or invalidated tokens in DB or Redis is the best way to go. And, password changes does not affect the token (which does not store the password anyway). You could manually invalidate all the tokens this user has when changing the password.

Sent from my Desire 830 dual sim using FastHub

[ihamzehald]

@Niush I've been searching all over the internet on how to store the blacklisted tokens in a database and i didn't find a way yet, can you please help me in that.

[Niush]

Personally, I like to store Active tokens in the Database/Redis (rather then all the invalidated tokens).

• When user authenticates, token is generated, and stored in the database table (user_id, token, expiry etc.)
• And, on each request some sort of middleware will check if the passed token is valid (i.e. stored in the database, along with other verifications as required)
• Then, on Logout, the token is invalidated and is removed from the database table.

[geneowak]

@Niush, I think that could be the best way of doing it because over time one may end up with thousands of tokens especially if the system has very many users. One also doesn't have to worry if for some reason the database is cleared, the user will just have to login again and any old or stolen tokens can never be used again. This approach can also help in scenarios where you want the user to be logged into one device at a time. Thanks, let me try it out and see how it works out...

[Zannier7]

@geneowak, Did you manage to have only one session per user?. I am working with lumen and I want to enable that functionality of only one session per user. If you managed to develop that functionality, I don't know if it would be too much to ask you to share how you did it.