Although an interesting solution, there are few drawbacks to this approach, and generally, I feel that people are misunderstanding JWT. Take a look at your solution and ask yourself: "What advantages does it provide in comparison by just using auth_id as a session id?". Upon each request, you would check its existence and expiry time. Index auth_id and it will be super fast. Want to logout? Simply delete it from the database. In your case, you're calling a database every time you want to validate your JWT.
Now, what people fundamentally do not understand is that JWT is insecure by default and that JWT itself or its claims should not be stored anywhere. JWT should be VERIFIED and that's it. That's why it's fully stateless. If you want to have long lived sessions, simply introduce the refresh token which is persistent by nature. If a client tries to verify JWT against your API and gets an unauthorized response, then a client can retry a call by providing a refresh token. Fetch a refresh token from the database, check its validity, and issue a new JWT.
P.S. Always hash the refresh tokens. Storing refresh tokens in their plain form is equivalent to storing plain text passwords.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Although an interesting solution, there are few drawbacks to this approach, and generally, I feel that people are misunderstanding JWT. Take a look at your solution and ask yourself: "What advantages does it provide in comparison by just using auth_id as a session id?". Upon each request, you would check its existence and expiry time. Index auth_id and it will be super fast. Want to logout? Simply delete it from the database. In your case, you're calling a database every time you want to validate your JWT.
Now, what people fundamentally do not understand is that JWT is insecure by default and that JWT itself or its claims should not be stored anywhere. JWT should be VERIFIED and that's it. That's why it's fully stateless. If you want to have long lived sessions, simply introduce the refresh token which is persistent by nature. If a client tries to verify JWT against your API and gets an unauthorized response, then a client can retry a call by providing a refresh token. Fetch a refresh token from the database, check its validity, and issue a new JWT.
P.S. Always hash the refresh tokens. Storing refresh tokens in their plain form is equivalent to storing plain text passwords.