|
|
|
|
|
|
by thomasfromcdnjs
751 days ago
|
|
|
I feel ya. You have to store invalidated tokens anywhere they might pass through a service, which means you have to persist them for as long you can predict that there expiry will last. Simply putting them in a memory database isn't 100% if that db gets flushed, and then you might start storing them in a disk database, which at that point, you might as well have just read the db in the first place using cookie auth. In microservices, you generally have to put an invalidated JWT cache between every service, or compromised JWT's are just floating around your intranet. I've worked at a plethora of places who have JWT's who have no invalidation strategy what so ever, the majority of developers think that when you log out and the user has forgotten the JWT then you are all good...... |
|
|