https://kotlinlang.org logo
Join Slack
Powered by
Is there any option to delete, clear, or set as ex...
# ktor
a
Is there any option to delete, clear, or set as expired some JWT token ? If a user chose to log out from all other devices i need to get all token with claim(email) and delete them . Also if a user change a password the old token still works . I need to check password to validate jwt ?i think Its too many database request . Thanks .
a
Can you please share some code to illustrate your issue?
a
here is the code that generate JWT token .
Copy code
fun generateJwtForUser(email:String,uuid:String):String{
    return JWT
        .create()
        .withAudience(jwtAudience)
        .withIssuer(jwtDomain)
        .withClaim("email",email)
        .withClaim("uuid",uuid)
        .withExpiresAt(Date(System.currentTimeMillis() + 60_000*5))
        .sign(Algorithm.HMAC256(jwtSecret))
}
and here is the login user route
Copy code
fun Route.loginUserRoute(
    path:String,
    userRepository: UserRepository,
                       userJwtToken: UserJwtToken){

    post(path){
        val input = call.receive<UserLogin>()
        val user = userRepository.getUserByEmail(input.email)
        if (user != null) {
            if (user.checkPassword(input.password,input.email)){
                val token = userJwtToken.generateJwtForUser(user.email,user.id?:"")
                call.respond(HttpStatusCode.OK,"successful login $token")
            }else{
                call.respond(HttpStatusCode.BadRequest,"password wrong")
            }
            return@post
        }
        call.respond(HttpStatusCode.BadRequest,"user is  $user : ${input.email}")
    }
}
problem 1 . user can login and generate as many JWT as want and all of them are valid at same time . is there a way to check if the JWT class hold a previous token with the same email ? problem 2 . user change the password but their old token is still valid . I can remove it from the users device when they change password but if their old password was stolen then they or other device have a valid token . 3. how do you sign out from all other devices ? all other device have a token that's valid until it expire .
here is the validate block .
Copy code
authentication {
    jwt{
        realm = jwtRealm
        verifier(
            JWT
                .require(Algorithm.HMAC256(jwtSecret))
                .withAudience(jwtAudience)
                .withIssuer(jwtDomain)
                .build()
        )
        validate { credential ->
            if (credential.payload.audience.contains(jwtAudience) &&
                    credential.payload.getClaim("email").asString() != "" &&
                        credential.payload.getClaim("uuid").asString() != "")
                
                JWTPrincipal(credential.payload)

            else null
        }
    }
}
Is that enough code ? Basically i want something like . JWT.deleteTokenWithClaim(email) or something like that .
a
Do you use any persistent storage for managing user sessions? Where do you want to delete the JWT token from?
14 Views
Open in Slack
PreviousNext
Powered by