Node js jwt authentication

Question

So i recently used jwt to make an auth system in my server, everything worked great but when i wanted to make a logout route i realized something:

jwt cannot be unvalidated soo instead what i did is stored these tokens along with the logged in user's id in mongodb, so everytime the user login the token gets saved to the DB but hashed using sha256 algorithm in a different collection.

-Im using it only for verification purposes so when we hit a protected route for example we check if the current token that we have (from either the header or a cookie) is valid in the DB, and then we validate it if found using jwt.verify() and other verification steps

im basically whitelisting tokens.

benefits:

-whenever i want to logout a user i simply remove that token from the DB
-or remove all tokens with the current profile id if i want to logout all the users with this account...

Now here's my question:

Is my approach doable ?
Is it bad for security (keep in mind that tokens are stored hashed) ?

Does this answer your question? [How to destroy JWT Tokens on logout?](https://stackoverflow.com/questions/37959945/how-to-destroy-jwt-tokens-on-logout) — esqew, Sep 22 '20 at 21:23
Thank you, kind of but i just wanted to know if the current implementation that i came up with is correct — Deadro, Sep 22 '20 at 21:27

Aryan · Answer 1 · 2020-09-23T10:14:12.183

0

If you have given jwt token a expiration time than why you want to store it in database and also you can sign the data you want from user object so there no problem with password leak or session-token leak and every time when you want something from jwt token you have to get it from database and have to decode it which become lengthy process its better to not store token in database.

when you can store your token as a client-side cookie or in a session Storage. whenever you want token you have to decode it in your authorize file and have to request for id or something else whatever you want

you can store it in localstorage but it can not be recommend. you can check out this blog

now it's on you where to store it and if you want to know more check out thi thread

edited Sep 23 '20 at 10:14

answered Sep 23 '20 at 10:07

Aryan

3,338
4
18
43

I agree with you, but say i wanted to know all logged in users with this account, and maybe later log them out how can you achieve that without saving these tokens in the db ? – Deadro Sep 23 '20 at 20:15
check out this https://stackoverflow.com/q/49104698/12761193 may be it helps you to know more. – Aryan Sep 24 '20 at 04:37

Node js jwt authentication

1 Answers1