Idea to force invalidation/logout of JWT tokens per user

[jakemanger]

I'm thinking of a case where a user thinks their long-lived JWT token has been compromised (e.g. their data has changed without their consent).

One way to invalidate all JWT tokens for all users would be to change the JWT secret.

But, if JWT secrets are generate per user (e.g. by concatenating the main JWT secret with a randomly generated string saved in the UserDB database), could we then force the user's JWT tokens to be invalidated by changing the user's randomly generate string saved in the UserDB?

If others think this would work, I think it would be a nice addition (possibly optional) to fastapi-users. It would provide functionality similar to facebook's login, where when they detect strange behaviour (e.g. multiple IP addresses being logged in), they give the user the option to sign all other devices out.

[jakemanger]

After some research, I think this method would actually be worse than having a seperate database (e.g. redis) to store invalid JWT tokens. This is because, in both cases, the database needs to be queried for every request, but the redis database way will be faster and not need as large amount of storage, as tokens can be removed when they are expired.

Sorry about the read leading to nowhere.

[frankie567]

I'm thinking about token invalidation for a while now, and it looks to me that the best way is actually to store the token itself in the database and having it fetched at each request. Then, all we need to do invalidate it is to delete it from the database. That's a super-classic and super-efficient approach, used in Django for example. I think I'll consider this solution in newer authentication backends.

[jakemanger]

That sounds like a good approach to me!

[anton-fomin]

Just to support the initial idea. There is no need to have any additional randomly generated string in the user database since we already have the password hash. If you use it to salt the secret the token become invalid automatically when the user changes password.