How Do I Ban Users & Invalidate Their JWT Tokens?

When a malicious user gets banned by an admin, I have to ensure he no longer can access protected routes, but that means I have to query the database everytime checking a user's token, is there a more efficient method for invalidating tokens?
20 Replies
barry
barry14mo ago
Just use normal db sessions Leave JWT's the fuck alone
Aerys
AerysOP14mo ago
That's an option as well oc, but my whole system is jwt atm
barry
barry14mo ago
If you add the ability to invalidate a jwt you instantly remove the benefit of no db lookup and it just doesn't make sense. Just use db sessions Like everyone else jwt's are not meant for web apps
Aerys
AerysOP14mo ago
The benefit of jwt is being stateless, db look up doesn't violate it
barry
barry14mo ago
yes, yes it does? now you suddenly have state attached
Aerys
AerysOP14mo ago
not really, we're still not mutating the token
barry
barry14mo ago
wtf you on about, it's still attached to the session you have db related to session no longer state-less
Aerys
AerysOP14mo ago
verification means statefulness?
barry
barry14mo ago
you. store. state. there's no fancy terminology it's black and white you have something in your database that tells you how to act when a response comes in from a certain user then it is not state-less and again, jwt's were never meant for web apps, leave them be
Aerys
AerysOP14mo ago
bruh, next time I won't, but I have to fix this now
DayDreamer123
DayDreamer12314mo ago
store a boolean (whether user is banned or not) in the jwt itself?
barry
barry14mo ago
lol
DayDreamer123
DayDreamer12314mo ago
atleast explain why its a bad idea
barry
barry14mo ago
because you can't alter a JWT after it's issued you make a jwt and it lasts x time, no more to it and banning can happen at any point
DayDreamer123
DayDreamer12314mo ago
but user will get logged out after he gets banned?
barry
barry14mo ago
no jwt cant be deleted once its made it works for however long its said to work
DayDreamer123
DayDreamer12314mo ago
if someone logs out they still have a valid jwt their browser?
barry
barry14mo ago
depends how its implemented, but the jwt is still valid so if they copied it they could just add it back
DayDreamer123
DayDreamer12314mo ago
ohh then he can cache banned users with the same expiry of the jwts
barry
barry14mo ago
and then its no longer stateless benefit gone TL;DR just leave JWT's damn alone if you're making webapps

Did you find this page helpful?