JWT, Using a dynamic secret key stored in DB

Question

I need some advice about future pitfalls and problems if I go forward with below approach.

I am using JWT and I need to expire all previous tokens of a user when he/she changes his/her password.

The approach I took to make a unique secret key for each user is concatenation my secret key and user password (config.jwtSecretKey + user.password) to generate a dynamic secret key. Once the user changes his/her password the secret key will change and hence all previous tokens will be invalid.

Things are working fine but to validate each token I need a DB call to get the password.

Please suggest how can I improve this or what is the right way to do the same.

are you saving your passwords in plain text? – Cybersupernova Apr 05 '18 at 18:33 — Cybersupernova, Apr 05 '18 at 18:33
No, I am using bcrypt to encrypt the password. – Utkarsh Pandey Apr 06 '18 at 07:06 — Utkarsh Pandey, Apr 06 '18 at 07:06

score 3 · Answer 1 · answered Apr 08 '18 at 10:19

3

Your approach is quite good as it's to KISSy

The database query can be reduced by using some in-memory cache of your dynamic secret key.

Also, you can change the dynamic key from password hash to some random hash to reduce conflicts. It will reduce a lot of security threats.

answered Apr 08 '18 at 10:19

Cybersupernova

1,833
1
20
37

2

The nice thing of using a dynamic key is that with that hash algorithm you can provide Single Sign-On really quick, even worldwide, but if your algorithm is compromised (e.g. a member of the company) you are screwed or if its just based in the password or data coming from the client a breach on his side can be dangerous as well. IMHO a mix of the two can provide really nice authentication: you just request few fields of the database that can be cached, combined with a quick/unpredictable hash algoritm you can provide a really fast and effective authorization mechanism. – EliuX Aug 20 '18 at 03:22

JWT, Using a dynamic secret key stored in DB

1 Answers1