• linus_hologram

    linus_hologram

    2 years ago
    Everytime I generate a token pair (access & refresh), I store them in the database. As per your advice from the blog entry, I would like to delete (revoke) the old refresh token upon the first usage of the newly generated access token. How can I achieve this? Like, where do I store the old refreshToken so that I can delete the database entry upon the usage of the new one? My idea would be the following: Every token-pair is stored in a document that has it's _id field (which is unique). I could put the document id of the old token-pair into the payload of each of the newly generated tokens. If the client then proceeds to send a request with the new access token, I delete the old ones from the database, using the document id from the payload. if the client, for some reason, receives the new token pair and doesn't send a new request before the fresh access-token expires, it would use the generated refresh token to generate a new token pair. In that case, I would also delete the old ones from the database, using the document id from the payload. I know this is a very complex message, can you just tell me if this is somehow an acceptable way to approach my issue?@User
  • r

    rp

    2 years ago
    from what I understand, you are attempting to delete the old refresh token at the time the new one is issued. If this is correct, you will eventually run in problems where the old one is revoked and the new one doesn't reach the client (network issues...) and your user is logged out.
  • r

    rp

    2 years ago
    so solve this, you must delete the old one only when the new access token / refresh token is used.
  • linus_hologram

    linus_hologram

    2 years ago
    exactly, that's what I'm trying to do as I pass the object-id (mongodb's document id) from the old token document as payload to the newly generated tokens. Only if the user uses one of the new tokens, the document of the old tokens will be deleted.
  • linus_hologram

    linus_hologram

    2 years ago
    Is that reasonable to do or would you recommend a different approach?
  • r

    rp

    2 years ago
    yea. this is good!
  • linus_hologram

    linus_hologram

    2 years ago
    Thanks so much 🙂
  • r

    rp

    2 years ago
    ur welcome.
  • linus_hologram

    linus_hologram

    2 years ago
    with JWT, it would be detected if something on the token's payload is changed on client-side, right?
  • r

    rp

    2 years ago
    yea. cause they r signed.