Closed carsomyr closed 11 months ago
Hi @carsomyr, did you try configuring revocation_requests
?
Hey @carsomyr, as posted above, did you try using the revocation_requests
configuration to avoid the need to monkey-patch?
I'll close this one as revocation_requests
should be the clean way to do it.
Assuming a JTI revocation strategy and
recoverable
on a Devise'dUser
model, this is the code I added to revoke the JWT when the user resets their password:The above snippet addresses the scenario of a stolen token and the app's creators advising the user to reset their password. A major action such as this already invalidates the session's
authenticatable_salt
, and it follows that the JWT should also be revoked.