|
|
|
|
|
|
by kierenj
3384 days ago
|
|
|
In terms of invalidation, I think a case-by-case basis is best, as it often is. For example - If some critical part of your app depends on a user's account or session being still valid, just do the check on that endpoint call (grab the sub/ID claim from the JWT and hit the DB, or similar). The rest of the time - viewing stats/feed/whatever, admit that if the user had a valid token issued to them 5 minutes ago, it's probably OK to send them stats without having to check revocation (or whichever benefit of JWT you're exploiting). Thing is, this at least gives you the /option/.. |
|
|