Node js jwt authentication

Question

So i recently used jwt to make an auth system in my server, everything worked great but when i wanted to make a logout route i realized something:

jwt cannot be unvalidated soo instead what i did is stored these tokens along with the logged in user's id in mongodb, so everytime the user login the token gets saved to the DB but hashed using sha256 algorithm in a different collection.

-Im using it only for verification purposes so when we hit a protected route for example we check if the current token that we have (from either the header or a cookie) is valid in the DB, and then we validate it if found using jwt.verify() and other verification steps

im basically whitelisting tokens.

benefits :

- whenever i want to logout a user i simply remove that token from the DB
- or remove all tokens with the current profile id if i want to logout all the users with this account...

Now here's my question:

• Is my approach doable?
  
• Is it bad for security (keep in mind that tokens are stored hashed)?
  

Answer 1

If you have given jwt token a expiration time than why you want to store it in database and also you can sign the data you want from user object so there no problem with password leak or session-token leak and every time when you want something from jwt token you have to get it from database and have to decode it which become lengthy process its better to not store token in database.

when you can store your token as a client-side cookie or in a session Storage. whenever you want token you have to decode it in your authorize file and have to request for id or something else whatever you want

you can store it in localstorage but it can not be recommend. you can check out this blog

now it's on you where to store it and if you want to know more check out thi thread