Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to invalidate old token/session when user login with another machine. #267

Closed
palamike opened this Issue Aug 11, 2016 · 4 comments

Comments

Projects
None yet
4 participants
@palamike
Copy link

palamike commented Aug 11, 2016

Hi All,

I'm new to feathers. I already implement local and jwt authentication.

  1. I use local authentication to get token
  2. I use token authentication to call api services.

but when I go to login on another machine. the old logged in session on the old machine still valid.

I would like to know, Is there any setting or work around to invalidate old token or old user session to make old session or token not usable anymore.

Thanks

@marshallswain

This comment has been minimized.

Copy link
Member

marshallswain commented Aug 11, 2016

That is how JWT works. A token is valid until its expiration date. You can store the token at login, maybe with the user, or wherever you want, and run a check to see if the passed in token matches the stored one.

@ekryski

This comment has been minimized.

Copy link
Member

ekryski commented Aug 11, 2016

Yup. Duplicate of #133. If you want to revoke tokens, you need to maintain a blacklist or whitelist. This is left up to you. Generally, JWT assumes that since tokens are unique and should be securely stored that if they user discards it, then it will eventually be no longer valid.

Tokens are only good for a day but you can configure their TTL as well if you want.

@ekryski ekryski closed this Aug 11, 2016

@palamike

This comment has been minimized.

Copy link
Author

palamike commented Aug 19, 2016

Hi all,

Thanks for your kindness response. I think I will store the latest token in the database after login and then compare latest token with JWT authentication.

by the way, I'm falling in love with feathersjs. It really cool.

@Tolsee

This comment has been minimized.

Copy link

Tolsee commented Aug 21, 2017

Hi,
I am just starting FeatherJS and found the same problem. I do understand JWT should stored for this kind of application. Ok, lets suppose that I store the JWT on user/whatever storage from authentication after hook. But, When the user logouts by app.logout() I didn't find it is called remove method of authentication service. What is the way/best practice to remove the JWT on logout/password change etc events? Please give me insight of both frontend and backend.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.