Can use expired to implement Revoking Tokens?

#1

configuration:

jwt: {
    serializer: 'lucid',
    model: 'App/Models/User',
    scheme: 'jwt',
    uid: 'email',
    password: 'password',
    options: {
      secret: Env.get('APP_KEY'),
      expiresIn: 60
    }
  }

For jwt, refresh tokens are only revoked, I want to refresh the token on exit logout, New token expiration time is 1 second :

await auth
  . withRefreshToken()
  .generateForRefreshToken(refreshToken)

generateForRefreshToken configuration :

jwt: {
    options: {
      expiresIn: 1,  //(Expire immediately after 1 second)
    }
  }

I want to try to expire as soon as 1 second after logging out? ,How can I help me achieve this?

0 Likes

#2

I think that you want to revoke the refresh token 1 second after logout. But that is not the intended use of JWT. You can’t re-invent sessions using JWT.
Moreover, refresh tokens do not have expiration time.

If you are building an API you will only need to revoke refresh tokens if you encounter suspiciuos activity. If you are building a web app you should use sessions.

jwt: {
    options: {
      expiresIn: 1,  // THIS ONLY AFFECTS ACCESS TOKENS
    }
  }

You can red more on JWT here https://fullstackmark.com/post/19/jwt-authentication-flow-with-refresh-tokens-in-aspnet-core-web-api (theory is the same).

0 Likes