Revoking existing Json Web Tokens when updating user information

Once a user logs in with their username and password, they receive an access_token containing the payload that includes their uniqueTokenIdentifier. This unique identifier is stored for each user in the database.

If a user changes their password due to account hacking or any other reason, the password is updated in the database along with a new uniqueTokenIdentifier. As a result, any requests made using the old access token with the old uniqueTokenIdentifier will not return data related to that user. For instance, the user's messages won't be accessible as the uniqueTokenIdentifier has been changed.

Furthermore, attempting to make requests with the old access_token will trigger a 403 forbidden error since no user with the old uniqueTokenIdentifier exists in the database anymore.

This approach is designed to address situations where an account is compromised, prompting the user to change their password for security purposes. While exploring various solutions to this issue, I came across a method known as token blacklist, which keeps track of revoked tokens. However, I haven't found any information regarding the method outlined above. Are there any potential concerns or security risks associated with this solution that I may be overlooking? Your insights would be appreciated. Thank you.

javascriptexpresssessionjwtsession-cookies

Answer №1

It seems like you're looking to invalidate a token, which can be achieved in several ways:

  • Adding it to a blacklist (not ideal as it remains in the system indefinitely)
  • Setting a TTL in the past for natural expiration
  • Manually removing the token from storage if necessary

The method of invalidation depends on how and where you store the token:

  • Database?
  • Memory or file cache?
  • Session?
  • Cookie (... oh well)
  • Filesystem
  • etc.

Each storage method has its own best practices, so there's no one-size-fits-all solution without understanding your specific use case.

In any case, your validation algorithms should handle both valid and invalid tokens effectively. If an old or invalid token still passes validation due to pattern matching or some requirement, it may expose you to security vulnerabilities like relay attacks or man-in-the-middle attacks.

I'm sharing what has worked for me personally: storing tokens in memory with a set TTL, automatically cleaning them upon expiration or user action. Depending on your scenario, you could remove the token outright or set its TTL in the past for automatic cleanup and prevention of further use.

To determine the best approach for you, more information about your specific needs is required. The above method isn't the only one—there are alternatives available as well.

Hope this insight is useful.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

AWS: Grant access to designated clients for users

My AWS Cognito setup includes: AWS Cognito User Pool: UserPool_1 The User Pool contains 3 users: Mike, Sarah, John I have configured 3 App Clients under this user pool: WebClient_1 WebClient_2 WebClient_3 I need Mike to be able to access: WebClient_ ...

javascriptreactjsamazon-web-servicesvue.jsamazon-cognito

Is there a way for me to determine the dimensions of the webcam display?

How do I determine the width and height of the camera in order to utilize it on a canvas while preserving proportions? I am attempting to ascertain the dimensions of the camera so that I can use them on a canvas. On this canvas, I plan to display live vid ...

javascriptgetusermedia

Despite my efforts to include the necessary key, I am still encountering an error with the item list in

Below is an example of a list container: import { List, ListItemText, ListItem } from '@mui/material'; import FooterItem from './FooterItem'; const FooterList = ({ title, items }) => { return ( <List> ...

javascriptreactjslistmaterial-uikey

Vue Router consistently triggers browser reloads, causing the loss of Vuex state

I encountered an issue that initially appeared simple, but has turned out to be more complex for me: After setting up a Vue project using vue-cli with Router, VueX, and PWA functionalities, I defined some routes following the documentation recommendations ...

javascriptvue.jsroutesvuexvue-router

Navigating through a JSON object in JavaScript by employing regular expressions

Is there a way to extract the "Value" of elements "Data1", "Data2", "Data3", "Data4" from a JSON object without resorting to regex? I've heard that using regex with JSON is not recommended. <script> abc = { "model": { ... } } </script> ...

javascriptjson

List of dropdown options retrieved from SQLite database

I am attempting to retrieve data from an SQLite database table in order to populate a dropdown menu list. My thought process is outlined below. The main issue I am facing is how to integrate the JS function with the HTML section. HTML.html <label ...

javascripthtmlsqlitephonegap

I am noticing an issue with req.headers where I am unable to locate certain parameters

Could use some help with req.headers. Everything looks good when I make a request from localhost as I can see all the parameters being sent. However, when I try to send it from an Azure server domain (API on AWS), it's not working properly (for instan ...

express

I am in search of a clean and efficient method to modify the class of a link that triggers an HTMX request in Django. Perhaps something like "auto-refresh" or a similar solution would be ideal

I've encountered an issue with HTMX in Django. The page consists of two main components: a list of categories and the content that is displayed when a category is clicked. Initially, everything was working smoothly with standard htmx functionality. H ...

javascriptcssdjangodjango-templateshtmx

Ajax sends the URL location to Python

I'm attempting to piece together some code. There are two distinct functions that I am trying to merge into a single entity. Code snippet: <!DOCTYPE html> <head> <meta http-equiv="content-type" content="text/html;charset=UTF-8"> &l ...

javascriptjquerypythonajax

Issue with jquery curvy corners not functioning properly on Internet Explorer 8

Check out my website at If you view the page in IE8 and then in IE7 compatibility mode, you'll notice a strange issue. The box on the right disappears in IE8 but displays perfectly rounded corners in IE7. I am currently using the jQuery Curvy Corner ...

javascriptjqueryhtmlcsscurvycorners

Using (javascript:) within Href attributes

Recently, I've noticed some people including "javascript:" in the href attribute of an a tag. My question is: what is the purpose of this? Does it guarantee that clicking on the a tag directs the function of the click to JavaScript for handling, rathe ...

javascripthtml

Tips on retrieving specific information from PHP through jQuery AJAX

I have encountered an issue with my JavaScript file where I am sending an array of data to my PHP file. The problem is, when trying to print the name in #NAME and password in #PASSWORD, both values end up in both fields. You can see how it currently displa ...

javascriptphpjqueryajax

Interactive Dropdown Menus for 3 Separate Database Tables

Having trouble creating a dependent drop-down list and would appreciate some help. The error "Undefined variable: input" keeps showing up in my code. https://i.sstatic.net/mBurS.pngFor the initial drop-down, I have 3 fixed options. <option value="busin ...

javascriptphpjqueryajaxlaravel

Ways to retrieve the value of an Object that may have a key that is undefined

Is there a method similar to Angular's $parse service that can be used for accessing nested object properties? Consider an object structure like this: const obj = { items: [ { store: { type: '' } } ] }; Sce ...

javascriptangularjs

click events in backbone not triggering as expected

It's puzzling to me why this is happening. The situation seems very out of the ordinary. Typically, when I want an action to be triggered on a button click, I would use the following code snippet: events:{ 'click #button_name':'somefun ...

javascriptbackbone.jsbackbone-viewsbackbone-events

Unexpectedly, optimization causing issues on Angular site without explanation

Currently, I am utilizing Angular to construct a front-end website that searches for and showcases information obtained through API requests. Whenever I compile the project into a file bundle for static deployment using ng build, I notice that the resultin ...

javascriptangulartypescript

Ways to customize the border color on a Card component using React Material UI

Is there a way to change the border color of a Card component in React Material UI? I attempted using the style property with borderColor: "red" but it did not work. Any suggestions on how to achieve this? ...

javascriptreactjsmaterial-ui

Apollo GraphQL has initiated the detection of a new subscription

My approach involves utilizing graphql-ws for subscribing to GraphQL events. I rely on the Observable interface to listen to these events. Although I can use the error callback to identify when a subscription fails to start, it is challenging to determine ...

javascripttypescriptgraphqlapollo-client

Increase the value of $index within the ng-repeat loop

Is there a way to increment the value of $index in ng-repeat by a specific amount? For example, if I want to display two values at a time, how can I ensure that the next iteration starts with the third value instead of the second value? <div ng-contr ...

javascriptangularjsangularjs-ng-repeat

Resource loading unsuccessful: server encountered a status of 500 (Internal Server Error)

I'm struggling to figure out why I keep getting an Internal Server Error when trying to call a web service in my HTML page using JavaScript and Ajax. Here is the error message: Failed to load resource: the server responded with a status of 500 (Int ...

javascriptajaxvb.netweb-services