How Do I Ban Users & Invalidate Their JWT Tokens?
When a malicious user gets banned by an admin, I have to ensure he no longer can access protected routes, but that means I have to query the database everytime checking a user's token, is there a more efficient method for invalidating tokens?
20 Replies
Just use normal db sessions
Leave JWT's the fuck alone
That's an option as well oc, but my whole system is jwt atm
If you add the ability to invalidate a jwt you instantly remove the benefit of no db lookup and it just doesn't make sense.
Just use db sessions
Like everyone else
jwt's are not meant for web apps
The benefit of jwt is being stateless, db look up doesn't violate it
yes, yes it does? now you suddenly have state attached
not really, we're still not mutating the token
wtf you on about, it's still attached to the session
you have db related to session
no longer state-less
verification means statefulness?
you. store. state.
there's no fancy terminology
it's black and white
you have something in your database that tells you how to act when a response comes in from a certain user
then it is not state-less
and again, jwt's were never meant for web apps, leave them be
bruh, next time I won't, but I have to fix this now
store a boolean (whether user is banned or not) in the jwt itself?
lol
atleast explain why its a bad idea
because you can't alter a JWT after it's issued
you make a jwt and it lasts x time, no more to it
and banning can happen at any point
but user will get logged out after he gets banned?
no
jwt cant be deleted
once its made it works for however long its said to work
if someone logs out they still have a valid jwt their browser?
depends how its implemented, but the jwt is still valid
so if they copied it they could just add it back
ohh
then he can cache banned users with the same expiry of the jwts
and then its no longer stateless
benefit gone
TL;DR
just leave JWT's damn alone if you're making webapps