如何使用 go-guardian JWT 策略主动注销用户？

Question

I'm using go-guardian with the JWT "basic-bearer" strategy for authentication in my project and it works really nice. When the client has no token, he logs in with his credentials and receives a JWT, which he can then use for further requests like this one:

                $.ajax({
                    headers: {
                        'Authorization': 'Bearer ' + token
                    },
                    url: '/api/archive',
                    type: "post",
                    contentType: 'application/json; charset=utf-8',
                    data: JSON.stringify(searchData),
                    dataType: 'json',
                    success: onDataReceived,
                    error: onError
                });

However, I wonder how to do an active logoff on the server side when the client hits the /auth/logoff route, for example? Sure, the client can simply delete the token, but then the server would still accept it. How can I actively invalidate or remove a token on the server side, so that I can safely say that the client has to reauthenticate?

Answer 1

You can keep a separate table user_session where the session also includes the token of the user. When an endpoint is hit you check the signature of the token and also if that token is in the database.

You also need to store the token when users are logged in, and remove this token when users are logged out.

The reason you need multiple sessions per user is because users might log in from separate devices using multiple tokens. To logoff a user you can delete that particular session from user_session or to logoff from all devices you can remove all sessions of that user.