Lexikjwtauthenticationbundle: There is a way to revoke token on logout?

Created on 10 Mar 2021  路  4Comments  路  Source: lexik/LexikJWTAuthenticationBundle

Could someone figure out how it possible to mark exisiting token as invalid? I know that it possible if user object will be changed.
Any ideas?
P.S. And we talking about BE side, not about simple token removal on FE side

Most helpful comment

You can add custom field as example "hash" to your payload and User entity with random generated value like bin2hex(random_bytes(16)) and to make it more unique you can add time() and sha1() it. This way you won't worry about duplicates. After that you can create a protected endpoint like /api/revoke and when a valid token is submitted and passes authorization you can clear the User entity "hash" field in the database. Then add an event subscriber or listener to JWT_DECODED to check the database for the user and the hash and if the hash doesn't match deny the request or $event->markAsInvalid()

All 4 comments

You can add custom field as example "hash" to your payload and User entity with random generated value like bin2hex(random_bytes(16)) and to make it more unique you can add time() and sha1() it. This way you won't worry about duplicates. After that you can create a protected endpoint like /api/revoke and when a valid token is submitted and passes authorization you can clear the User entity "hash" field in the database. Then add an event subscriber or listener to JWT_DECODED to check the database for the user and the hash and if the hash doesn't match deny the request or $event->markAsInvalid()

Thanks for advice!, I have some outlines with useless User's field but looking for solution without DB manipulation

Revoking tokens implies to checks the state of a token at some point, so persisting that state is not an option.
You might use something else that your application database, e.g. cookies or a redis db.

thanks for your opinion! Let's close this issue

Was this page helpful?
0 / 5 - 0 ratings