Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

question. How do I invalidate an existing token? #126

Closed
SanderElias opened this issue Dec 2, 2015 · 7 comments
Closed

question. How do I invalidate an existing token? #126

SanderElias opened this issue Dec 2, 2015 · 7 comments

Comments

@SanderElias
Copy link

I'm in the situation that I need a way to invalidate an existing token.
Once a token is invalidated, it should not be possible to auth with it anymore. I could not find a way do do this. did I miss something, or is this not supported yet?

@eventhough
Copy link
Contributor

@SanderElias Here are some resources on how to invalidate a jwt token:

http://stackoverflow.com/questions/21978658/invalidating-json-web-tokens
http://www.kdelemme.com/2014/05/12/use-redis-to-revoke-tokens-generated-from-jsonwebtoken/

The easiest way is to just remove the token from the client. If you're worried about security, you'll need to implement a more advanced security system.

@SanderElias
Copy link
Author

@eventhough I knew about that.
But I hoped there would be at least some helpers inside hapi-auth-jwt2, to easy this system.

For example, if there would be a md5-hash(or other identifier) of the token would be available somewhere in the request, it would make things a lot simpler.

For now, this is single server, so i could keep an array of invalid tokens, along with their expiry times, in memory.
When scaling up, putting it in redis makes sense, but actually any DB would do. As this data-set would be very tiny. (invalidated && not expired)

@eventhough
Copy link
Contributor

@SanderElias If you need some kind of token identifier, you could probably use iat the "issued at" timestamp. For each token the combination of a user id + iat would very likely be unique.

@vdeturckheim
Copy link

Maybe take a look at the "jti" property of the jwt

@eventhough
Copy link
Contributor

@vdeturckheim great recommendation! @SanderElias it looks like you will have to add jti to the payload object when the token is issued. Currently there is no direct support of jti in jsonwebtoken: auth0/node-jsonwebtoken#104 But it looks like they are considering adding it as a library option.

@nelsonic
Copy link
Member

@SanderElias we store our JWT-based sessions in a Redis datastore and lookup the session for the given JWT during the validateFunc (validation function) see: https://github.com/dwyl/hapi-auth-jwt2-example/blob/791b0d3906d4deb256daf23fcf8f5021905abe9e/index.js#L25
This means we can invalidate the session in Redis and then reject a request that uses an "old" or invalid JWT. see: https://github.com/dwyl/hapi-auth-jwt2-example/blob/791b0d3906d4deb256daf23fcf8f5021905abe9e/index.js#L25
How did you decide to do it?

@nelsonic
Copy link
Member

@SanderElias please let us know if you still need further clarification on this. otherwise can we close the issue? thanks. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants