Could someone figure out how it possible to mark exisiting token as invalid? I know that it possible if user object will be changed.
Any ideas?
P.S. And we talking about BE side, not about simple token removal on FE side
You can add custom field as example "hash" to your payload and User entity with random generated value like bin2hex(random_bytes(16)) and to make it more unique you can add time() and sha1() it. This way you won't worry about duplicates. After that you can create a protected endpoint like /api/revoke and when a valid token is submitted and passes authorization you can clear the User entity "hash" field in the database. Then add an event subscriber or listener to JWT_DECODED to check the database for the user and the hash and if the hash doesn't match deny the request or $event->markAsInvalid()
Thanks for advice!, I have some outlines with useless User's field but looking for solution without DB manipulation
Revoking tokens implies to checks the state of a token at some point, so persisting that state is not an option.
You might use something else that your application database, e.g. cookies or a redis db.
thanks for your opinion! Let's close this issue
Most helpful comment
You can add custom field as example "hash" to your payload and User entity with random generated value like bin2hex(random_bytes(16)) and to make it more unique you can add time() and sha1() it. This way you won't worry about duplicates. After that you can create a protected endpoint like /api/revoke and when a valid token is submitted and passes authorization you can clear the User entity "hash" field in the database. Then add an event subscriber or listener to JWT_DECODED to check the database for the user and the hash and if the hash doesn't match deny the request or $event->markAsInvalid()