I would like to know the best practices to invalidate JWT without hitting db while changing password/logout.
I have the idea below to handle above 2 cases by hitting the user database.
1.Incase of password changes, I check for password(hashed) stored in the user db.
2.Incase of logout, I save last-logout time in user db, hence by comparing the token created time and logout time, I can able to invalidate this case.
But these 2 cases comes at the cost of hitting user db everytime when the user hits the api. Any best practise is appreciated.
Aucun commentaire:
Enregistrer un commentaire