5

I'm using JWT (jsonwebtoken) package with node for token handling.

Is there any way to "logout"/revoke/invalidate a token?

mosquito87
  • 4,270
  • 11
  • 46
  • 77
  • 1
    Any solution would depend on a proprietary implementation of backend checks that defeats the primary purpose of JWT tokens: them being self-contained. If your use case does not allow for self-contained tokens it is better to look at a different type of token than JWTs. – Hans Z. Mar 05 '15 at 13:40

3 Answers3

2

If you just want to log the current user out, like @Massimiliano said, it's often implemented by deleting the token from whatever client-side store you've been using to keep track of it (eg. cookies).

If you need revocation for security reasons, here's an article that talks about why you might not want to go with JWT's in the first place, and instead use regular, opaque Bearer tokens (implemented by storing them in a database, often using a secure random string as their ID).

https://www.dinochiesa.net/?p=1388

Basically, they aren't revocable without adding a database lookup (negating one of the main reasons to use JWT's to begin with). And in the case of needing to revoke via a user interface, you're going to want to be able to query for tokens by user_id or group_id or similar, so you'll want to be able to index tokens by that information, instead of having it be opaque in the JWT claims.

Ian Storm Taylor
  • 8,520
  • 12
  • 55
  • 72
-1

I like that had this problem, I decided it this way: First i create model session for db, like this:

var SessionSchema = new Schema({
    user_id:   { type: String, required: true },
    tokenHash: { type: String, required: true }
});

After create token i save session, when user do something in my "checkSession" midleware i search token in db, if he exist i verify him, if not exist send auth_error, if token exist in db but expired, i remove him from db and send auth_error, if i delete or block user i remove session from db to.

Try, maybe this help you.

siavolt
  • 6,869
  • 5
  • 24
  • 27
  • 8
    The whole point of tokens was for the server to avoid making calls to the DB. What you propose as the solution, is session handling which is a different authentication system. – stackErr Jul 29 '15 at 05:14
-1

with jwt authentication there is no need to insert the token in a database, if you want to revoke/logout/invalidate a token, just delete it locally in the browser there where you have decided to store it (cookie or header), in that case at the next call of whatever route (protected by authentication) the server, if had a good programmer, should ask you authentication again.

Hope this help, ciao.

Massimiliano
  • 122
  • 1
  • 5
  • 6
    deleting it locally does not help you if somebody stole your user's token. Depending on the expiration time of the token, a hacker could continue using it for days or weeks. – linus_hologram Feb 19 '20 at 14:05
  • Totally agree with @linus_hologram. This is not the most secure way to do so. – Vitomir Feb 16 '23 at 09:34