Revoke JWT token for USER


#1

@romain.lanz

await auth
        	.authenticator('jwt')
            .revokeTokensForUser(user);

I want to revoke JWT token when user is clicking on logout


#2

Hey @nir-jas! :wave:

You cannot revoke a JWT because it is never stored in the server.
If you need to revoke this token you may want to reconsider an alternative to JWT.


#3

Thanks, @romain.lanz. Any suggested alternatives ?


#4

In most case using session is fine.


#5

Basic workflow for JWT is.

You get to token and store it with localstorage.

localStorage.setItem('token', 'Yourtokefromresponse');

And add it to Authentication header, so that every request will be authenticated.

const token = localStorage.getItem('token');

axios.create({
    baseURL: store.state.baseUrl,
    headers: {
     Authorization: `Bearer ${token}`,
    },
  });


if you want to log user out, all you need is to remove token from localstorage, set it to null.

localStorage.setItem('token', null);

Authorization header will be null and sending request will fail with 401 Unauthorized HTTP response.


#6

I want to revoke access from the server side. Because If you will have token then you can access APIS from POSTMAN as well without login.


#7

@nir-jas

You need to first understand the concept of how JWT works. http://jwt.io/

As a quick overview

  1. JWT’s are not stored on the server.
  2. Once the user has the token, they can use it until it expires.
  3. That’s why it’s recommended to keep the expiry short.