1

Consider a case, I have sent auth-token during login. Now is there any way to avoid hitting DB to validate each request made to the node server.

Any link or description will be helpful.

Abhishek Mani
  • 502
  • 4
  • 12

2 Answers2

3

Yes, you can do this in two steps:

  1. Firstly JWT token validation should not need DB call. Usually HMACSHA256 is used to sign the JWT. If you have the key, you should be able to calculate the MAC on the incoming JWT payload and compare it with the incoming MAC without making any DB call.

  2. For added security, you could store the newly created JWTs in an in-memory cache (for e.g. Redis) with a TTL which should be the same as the JWT validity period. When the TTL expires, the cache will automatically remove the JWT entry causing the validation to fail. If for some-reason, the cache is not sync with the file system and your cache server crashes, all you lose is the valid tokens forcing the users to re-login (Ofcourse you can take steps to avoid it in the usual scenarios). Thus, all you need to do is compare the incoming JWT with the cached list. If it is in the cache, validation is successful

Saptarshi Basu
  • 8,640
  • 4
  • 39
  • 58
0

I'm not sure why would you hit DB to validate token. but its recommended not to store sensitive data in the token payload (eg email/password). because anyone can see the payload (Remember, Its encoded not encrypted).

Kindly refer to : Is it safe to store sensitive data in JWT Payload?

Mekatoo
  • 39
  • 1
  • 6
  • 1
    Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-ask). – Community Sep 12 '21 at 01:13