Reputation:
How to invalidate a JWT token with no expiry time
Am creating a node.js backend app using JWT. For me the requirement is simple, that the authorization token shouldn't have any expiry time. But I am facing problem during invalidating JWT When user changes his password.
When user changes his password, I will create a new JWT Token, and delete the old token, but still the user can use his old JWT token (from other logged in devices) and can access the application.
So can anyone tell me how to avoid this scenario?
Upvotes: 17
Views: 44810
Answers (4)
Reputation: 912
You could use the iat claim for this (https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6). Store a minimumIssuedAt date with the user in the database and verify whether the iat in the claim is at least the minimumIssuedAt for the user identified by the sub claim. When a user changes his password, you can set the user's minimumIssuedAt date to the current date, thereby invalidating all existing tokens for the user.
Although this does require maintaining some state, it is simpler than storing all issued JWTs in a database.
Upvotes: 0
Reputation: 197
The exp claim of a JWT is optional. If a token does not have it it is considered that it does not expire
According to documentation of https://www.npmjs.com/package/jsonwebtoken the expiresIn field does not have a default value either, so just omit it.
var token = jwt.sign({email:'[email protected]',role:'User'}, "Secret", {});
Upvotes: 15
Reputation: 3892
Looks like a familiar question to me, I have already answered the similar question Best practices to Invalidate a JWT Token .
So the steps for solving ur problem as follows,
when user login, create a login token in his user database with no expiry time.
Hence while invalidating a JWT, follow the below steps,
- retrieve the user info and Check whether the token is in his User database. If so allow.
- When user logs out, remove only this token from his user database.
- When user changes his password, remove all tokens from his user database and ask him to login again.
So basically you need to store tokens in user's database and make use of it while invalidating. Simple :)
Upvotes: 18
Reputation: 2023
you cannot invalidate your JWT token from what i know, i would always suggest always have a short expire time with maximum duration for a week,It may be be a pain to implement at first for your application to check if your token in valid from time to time and request a new one when invalid, there are provisions that allow you to refresh your token or check if the token is valid with most JWT libraries . Now if your are adamant that you want to keep your tokens without expire time then i would suggest keep a blacklist of sorts that your middle-ware will check. There was a similar question asked before here. Hope this helps
Upvotes: 1
Related Questions
- How to measure time taken by a function to execute
- How to format a number with commas as thousands separators?
- How can I change an element's class with JavaScript?
- How to decode jwt token in javascript without using a library?
- Deafult expiry time of JWT token
- JWT vs cookies for token-based authentication
- JWT (JSON Web Token) automatic prolongation of expiration
- How can I upload files asynchronously with jQuery?