How to destroy JWT Tokens on logout

Question

I am using jwt plugin and strategy in hapijs   I am able to create jwt token while login user and authenticate other API using the same token through  jwt  strategy   I am setting the token in request state USER SESSION as a cookie where USER SESSION is a token name  Also  I am not saving these token in the database   But how can I destroy jwt token at the time of logout   Please suggest a way

User · Answer

You cannot manually expire a token after it has been created. Thus, you cannot log out with JWT on the server-side as you do with sessions.

JWT is stateless, meaning that you should store everything you need in the payload and skip performing a DB query on every request. But if you plan to have a strict log out functionality, that cannot wait for the token auto-expiration, even though you have cleaned the token from the client-side, then you might need to neglect the stateless logic and do some queries. so what's a solution?

Set a reasonable expiration time on tokens
Delete the stored token from client-side upon log out
Query provided token against The Blacklist on every authorized request

Blacklist

“Blacklist” of all the tokens that are valid no more and have not expired yet. You can use a DB that has a TTL option on documents which would be set to the amount of time left until the token is expired.

Redis

Redis is a good option for blacklist, which will allow fast in-memory access to the list. Then, in the middleware of some kind that runs on every authorized request, you should check if the provided token is in The Blacklist. If it is you should throw an unauthorized error. And if it is not, let it go and the JWT verification will handle it and identify if it is expired or still active.

For more information, see How to log out when using JWT. by Arpy Vanyan

User · Answer

On Logout from the Client Side  the easiest way is to remove the token from the storage of browser   But  What if you want to destroy the token on the Node server -  The problem with JWT package is that it doesn t provide any method or way to destroy the token   So in order to destroy the token on the serverside you may use jwt-redis package instead of JWT  This library  jwt-redis  completely repeats the entire functionality of the library jsonwebtoken  with one important addition  Jwt-redis allows you to store the token label in redis to verify validity  The absence of a token label in redis makes the token not valid  To destroy the token in jwt-redis  there is a destroy method  it works in this way    1  Install jwt-redis from npm  2  To Create -  var redis   require  redis    var JWTR    require  jwt-redis   default  var redisClient   redis createClient    var jwtr   new JWTR redisClient    jwtr sign payload  secret       then  token   gt                  your code             catch  error   gt                  error handling           3  To verify -   jwtr verify token  secret     4  To Destroy -   jwtr destroy token    Note   you can provide expiresIn during signin of token in the same as it is provided in JWT

User · Answer

The JWT is stored on browser  so remove the token deleting the cookie at client side  If you need also to invalidate the token from server side before its expiration time  for example account deleted blocked suspended  password changed  permissions changed  user logged out by admin  take a look at Invalidating JSON Web Tokens for some commons techniques like creating a blacklist or rotating tokens

User · Answer

You can add  quot issue time quot  to token and maintain  quot last logout time quot  for each user on the server  When you check token validity  also check  quot issue time quot  be after  quot last logout time quot

User · Answer

While other answers provide detailed solutions for various setups  this might help someone who is just looking for a general answer  There are three general options  pick one or more   On the client side  delete the cookie from the browser using javascript   On the server side  set the cookie value to an empty string or something useless  for example  quot deleted quot    and set the cookie expiration time to a time in the past   On the server side  update the refreshtoken stored in your database  Use this option to log out the user from all devices where they are logged in  their refreshtokens will become invalid and they have to log in again

[node.js] How to destroy JWT Tokens on logout?

Blacklist

Redis

Examples related to node.js

Examples related to jwt

Examples related to hapijs