stackoom
  简体   繁体   中英

Destroy JWT token, force logout when user gets banned or edited

 原文  2019-10-19 19:29:00       javascript/ node.js/ api/ express/ jwt

Question

Good day friends,

I am developing an application, in my user system add the functionality for administrators to raise the level of the account (if level 10, it's admin) or ban it from the site.

Once the user logs in, he receives a token that contains information about the level of his account, whether it is banned or not.

This function works perfectly, but if the user is banned, they can continue using the site until they receive a new token or it has expired, since the information is acquired from the token. I want to force the user to close their session (destroy JWT token) once it is banned or its level has been edited.

I can verify in the routes that every time the user makes a call, the backend checks in the database if the user is banned or not. But I would like to simplify this step so that the server does not make so many calls to the database. It occurs to me to remove the user's specific token or make it invalid once it is banned from the site or its level has been altered. So the user is forced to log in again and get a new token.

Is there a method or library that makes it easy for me to remove the tokens or make them invalid?

Because if i enter with my admin account and try to edit my account and give it a level 1, i should not be able again to edit this user because my lvl is 1 and i need lvl 10 again for using this route functions, but i can edit it again because token authorization is valid and that shouldn't happen

1 answers

solution1
 0  2019-10-19 23:53:44

I want to force the user to destroy their JWT token once it is banned or its level has been edited.

This is not possible, a user can retain any data you've given them.

The best solution you can get with tokens would be to have a very short expiry for their access tokens, and verify the blocked status and level every time you create a new one for them. If a few minutes of lag is acceptable to you, this is the way to go.

Is there a method or library that makes it easy for me to remove the tokens or make them invalid?

You are looking for plain HTTP sessions . You would not hand out any signed tokens with the data at all, you would store the session data on the server side - in ram, an extra cache, or a database. From there you can purge it to invalidate the session and log out the user, or change their access status.

There's a standard implementation for about every server ecosystem. Don't implement this yourself with a database request on every route, use a middleware solution like express-session (see How to use session variable with NodeJs? ).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Logout user when jwt expires in react/redux How to persist JWT token throughout session until user logout? How to force logout user when close tab How do I force logout user via JWT cookie on client side JWT token is not destroyed after calling destroy method How to logout user when token expires in react app On Register, User is created in the database, but JWT token is "undefined" when inspect in browser How to check if auth token is expired and force logout? rails 3 devise : destroy localStorage and sessionStorage when logout? how to detect when a message gets edited
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM