Closed krapans closed 7 years ago
hassox
commented
7 years ago Hi @artukrap,
If you're using GuardianDb to track the token in your logout function you need to revoke the token. If you're not tracking the token with something like GuardainDb then just throw the token away.
krapans
commented
7 years ago @hassox I am using postgres and your package. What you mean throw away? For example, when I revoke token, I am able still use it and access system.
hassox
commented
7 years ago @artukrap if you're using GuardianDb then revoking will cause the system to revoke it (Guardian db keeps a record of all issued tokens). If you're not using Guardian Db or something similar to track all issued tokens then there is no way to revoke them. A JWT is valid until it expires. The only way to revoke a still active token is to keep a record of it and when it's revoked, mark it as no longer valid.
If you're not using Guardian Db (or simliar) then when you logout calling revoke it's just a noop. In that case you just dereference the token in your client and 'forget' it.
krapans
commented
7 years ago @hassox For now I have postgres database. So it means, this package https://github.com/ueberauth/guardian_db goes on top of all that and then I will be able to revoke normaly tokens?
krapans
commented
7 years ago @hassox Yes, not revoke works as expected.
egeersoz
commented
7 years ago @hassox Sorry to comment on a closed issue, but regarding your response on Jan 18th, did I understand it correctly, i.e. in vanilla Guardian, calling revoke! doesn't actually revoke the token?
Reading the source code, this seems to be the case. Guardian.revoke! calls Guardian.hooks_module.on_revoke, which is just:
def on_revoke(claims, jwt), do: {:ok, {claims, jwt}}
As in, it doesn't actually do anything, BUT can be overridden with something like GuardianDb. Am I right?
Hi. I have situation where I do Guardian.Plug.api_sign_in and then I would like to built logic, that discards JWT token and it's not usable again if users makes /logout