Ability to invalidate old token/session when user login with another machine.

[palamike]

Hi All,

I'm new to feathers. I already implement local and jwt authentication.

1. I use local authentication to get token
2. I use token authentication to call api services.

but when I go to login on another machine. the old logged in session on the old machine still valid.

I would like to know, Is there any setting or work around to invalidate old token or old user session to make old session or token not usable anymore.

Thanks

[marshallswain]

That is how JWT works. A token is valid until its expiration date. You can store the token at login, maybe with the user, or wherever you want, and run a check to see if the passed in token matches the stored one.

[ekryski]

Yup. Duplicate of #133. If you want to revoke tokens, you need to maintain a blacklist or whitelist. This is left up to you. Generally, JWT assumes that since tokens are unique and should be securely stored that if they user discards it, then it will eventually be no longer valid.

Tokens are only good for a day but you can configure their TTL as well if you want.

[palamike]

Hi all,

Thanks for your kindness response. I think I will store the latest token in the database after login and then compare latest token with JWT authentication.

by the way, I'm falling in love with feathersjs. It really cool.

[Tolsee]

Hi,
I am just starting FeatherJS and found the same problem. I do understand JWT should stored for this kind of application. Ok, lets suppose that I store the JWT on user/whatever storage from authentication after hook. But, When the user logouts by app.logout() I didn't find it is called remove method of authentication service. What is the way/best practice to remove the JWT on logout/password change etc events? Please give me insight of both frontend and backend.