How to destroy JWT Tokens on logout

Question

I am using jwt plugin and strategy in hapijs   I am able to create jwt token while login user and authenticate other API using the same token through  jwt  strategy   I am setting the token in request state USER SESSION as a cookie where USER SESSION is a token name  Also  I am not saving these token in the database   But how can I destroy jwt token at the time of logout   Please suggest a way

User · Answer

While other answers provide detailed solutions for various setups, this might help someone who is just looking for a general answer.

There are three general options, pick one or more:

On the client side, delete the cookie from the browser using javascript.
On the server side, set the cookie value to an empty string or something useless (for example "deleted"), and set the cookie expiration time to a time in the past.
On the server side, update the refreshtoken stored in your database. Use this option to log out the user from all devices where they are logged in (their refreshtokens will become invalid and they have to log in again).

User · Answer

On Logout from the Client Side  the easiest way is to remove the token from the storage of browser   But  What if you want to destroy the token on the Node server -  The problem with JWT package is that it doesn t provide any method or way to destroy the token   So in order to destroy the token on the serverside you may use jwt-redis package instead of JWT  This library  jwt-redis  completely repeats the entire functionality of the library jsonwebtoken  with one important addition  Jwt-redis allows you to store the token label in redis to verify validity  The absence of a token label in redis makes the token not valid  To destroy the token in jwt-redis  there is a destroy method  it works in this way    1  Install jwt-redis from npm  2  To Create -  var redis   require  redis    var JWTR    require  jwt-redis   default  var redisClient   redis createClient    var jwtr   new JWTR redisClient    jwtr sign payload  secret       then  token   gt                  your code             catch  error   gt                  error handling           3  To verify -   jwtr verify token  secret     4  To Destroy -   jwtr destroy token    Note   you can provide expiresIn during signin of token in the same as it is provided in JWT

User · Answer

The JWT is stored on browser  so remove the token deleting the cookie at client side  If you need also to invalidate the token from server side before its expiration time  for example account deleted blocked suspended  password changed  permissions changed  user logged out by admin  take a look at Invalidating JSON Web Tokens for some commons techniques like creating a blacklist or rotating tokens

User · Answer

You can add  quot issue time quot  to token and maintain  quot last logout time quot  for each user on the server  When you check token validity  also check  quot issue time quot  be after  quot last logout time quot

User · Answer

You cannot manually expire a token after it has been created  Thus  you cannot log out with JWT on the server-side as you do with sessions   JWT is stateless  meaning that you should store everything you need in the payload and skip performing a DB query on every request  But if you plan to have a strict log out functionality  that cannot wait for the token auto-expiration  even though you have cleaned the token from the client-side  then you might need to neglect the stateless logic and do some queries  so what s a solution    Set a reasonable expiration time on tokens Delete the stored token from client-side upon log out Query provided token against The Blacklist on every authorized request   Blacklist     Blacklist    of all the tokens that are valid no more and have not expired yet  You can use a DB that has a TTL option on documents which would be set to the amount of time left until the token is expired   Redis  Redis is a good option for blacklist  which will allow fast in-memory access to the list  Then  in the middleware of some kind that runs on every authorized request  you should check if the provided token is in The Blacklist  If it is you should throw an unauthorized error  And if it is not  let it go and the JWT verification will handle it and identify if it is expired or still active   For more information  see How to log out when using JWT  by Arpy Vanyan

[node.js] How to destroy JWT Tokens on logout?

Examples related to node.js

Examples related to jwt

Examples related to hapijs