What does auth.listTokens() do

In the app I am writing I want users to be able to generate API Tokens. Generating them is not a problem, but how to list those generated tokens?

The following command is documented.

await auth.listTokens()

however it just returns an empty array even after generating a token in the same function.

The following code outputs [] to the console

async index({ view, auth }) {
    var user = await auth.getUser()
    var token = await auth.authenticator('jwt').generate(user)
    var keys = await auth.authenticator('jwt').listTokens()
    return view.render('keys.listKeys', {keys: keys})

Hi @simonjcarr

Half point of JWT is that it is stateless and it is never stored to anywhere.

You can’t provoke access of one JWT. Only all of them at once when you change JWT secret (APP_KEY in Adonis case, if I remember correctly)

I think this gives quite good overview: https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec

1 Like

Only all of them at once

Yes, I read the same information somewhere on this forum @McSneaky

@McSneaky What I am trying to understand, is that there is a tokens table, but it is always empty.

When a personal API token is created, I would have thought it would be stored somewhere, if not I will create a my own table and store it.

When a user uses a token to gain access to the API, I can check if token has a deleted flag set, if that flag is set, I can manually send a 401

I just need to know if there is already a central place for storing tokens. If not then what is the tokens table for and what is the auth.listTokens() function for?


auth.listTokens() is part of Personal API tokens

You should use api authenticator for it, not jwt

1 Like

Thank you, I will take a look at that. It might be what I’m missing :slight_smile:

1 Like

Hello @simonjcarr

The personal tokens and JWT refresh tokens are stored in the database, since they provide access to an application forever.

This is how I look at the JWT implementation in ideal form.

  1. Issue a JWT token, along with refresh token.
  2. Keep the expiry of JWT really small.
  3. The client application can use the refresh token to transparently generate JWT token, without asking for the username and password from the user.
  4. In case of security breach, you can revoke all the refresh tokens and that will force the user to login again.

What sort of security breach can happen?

The quick one’s I can think of is.

  1. One of your client application like a mobile app had a bug, where any other app can access the storage of your app and hence can steal the JWT and refresh tokens. Same applies to browsers as well via XSS attacks.

    In this scenario, it’s best to revoke all tokens.

  2. Someone gets access to your database and steal all the refresh tokens. This will have no impact, since they will need the secretKey to encrypt those tokens first and then make a request to your app to generate JWT token. Since they don’t have the secretKey, the refresh tokens are useless to them.