1

I am using the jwt-simple node module:.

How can I do blacklisting tokens?

DrakaSAN
  • 7,673
  • 7
  • 52
  • 94
Vladimir
  • 1,751
  • 6
  • 30
  • 52
  • You store a list with all blacklisted token, and you compare incoming token with this list? JWT are not meant to be blacklisted, but to expire. – DrakaSAN Aug 23 '16 at 13:27
  • 2
    Possible duplicate of [Invalidate JWT Token in NodeJS](http://stackoverflow.com/questions/29087552/invalidate-jwt-token-in-nodejs) – DrakaSAN Aug 23 '16 at 13:29
  • You have different options for invalidating tokens before expiration time here http://stackoverflow.com/questions/37507714/invalidating-client-side-jwt-session/37520125#37520125 – pedrofb Aug 23 '16 at 15:40
  • Please have a look at https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens/52407314#52407314 – Ziaullhaq Savanur May 19 '20 at 07:22

3 Answers3

1

Long story short, you don't.

You set short expire times and wait for the token to expire.

If you need quick logout, it come at the price of needing your app to log in often.

Robert Rossman answer explain a alternative way to do that.

Community
  • 1
  • 1
DrakaSAN
  • 7,673
  • 7
  • 52
  • 94
  • Thanks for answer, but that not explaining my question. I can put access token in database which I wana blacklist but I don't want to hit database. – Vladimir Aug 23 '16 at 13:57
  • 1
    I repeat: JWT are not meant to be blacklisted. They expire by themselves after a set time. Want quick logout? Make short expire time, but the user will have to ask for new token often. Don't want the user to ask everytime? Set a long expire time, and forget about the logout. – DrakaSAN Aug 23 '16 at 14:06
  • Wanting to blacklist JWT is like trying to eat with a shovel. Sure, you can do it somehow. But you will probably lose a teeth or two, make a mess of yourself, and have a hell of a hard time. Either use a fork to eat, or use your shovel to dig. If you need logout, use sessions. Need JWT? Use expire times. – DrakaSAN Aug 23 '16 at 14:09
  • When I used Laravel there was function revokeToken(). There is problem if someone take your access token and you want imidiatly remove that token what to do than? – Vladimir Aug 23 '16 at 14:43
  • Then you failed to set a short enought expiration time on your token. There are other scheme to prevent that, but you ll find them on the multiple duplicate of your question accross SO. – DrakaSAN Aug 23 '16 at 14:53
1

easy way to blacklist or destroy the jwt token: using jwt-blacklist module

install it via $ npm install jwt-blacklist

example:

const jwt = require('jsonwebtoken');
const jwtBlacklist = require('jwt-blacklist')(jwt);

let token = jwtBlacklist.sign({
       feeling: 'awesome'
   }, 'secret', {expiresIn: '2h'});


jwtBlacklist.blacklist(token); // destroy the token

jwtBlacklist.verify(token); // throw error token expired or destroyed
Carlos
  • 458
  • 12
  • 23
0

1) Simply remove the token from the client

2) Create a token blacklist

3) Just keep token expiry times short and rotate them often

Please have a look at Invalidating JSON Web Tokens

Ziaullhaq Savanur
  • 1,848
  • 2
  • 17
  • 20