DEV Community

loading...

Discussion on: Securing your Node js api with JSON Web Token

Collapse
samjakob profile image
Sam (NBTX)

Personally, I'm storing a unique hash in my database associated with the JSON web token's unique ID (you could also just store this in memory but as my application is still in the development stage it gets restarted often).
That way, when the user logs out, I can just remove their hash from the database and thus invalidate their session.

It's cleaner because then I don't have to worry about wiping old keys from blacklist tables - and I don't have to deal with refreshing the tokens.

Collapse
joruch profile image
Joris

Isn't the point of using web tokens that you don't need database access to users for every request?

Thread Thread
tomharvey profile image
Tom Harvey • Edited

I was going to say that the article could benefit from more exploration of why this is a good approach.

Thread Thread
samjakob profile image
Sam (NBTX) • Edited

Good point, although this does minimize the amount of requests that you need to make to the database.