About JWT – Logout From All Devices – Nodejs Example
JWT (JSON Web Tokens) is a stateless way of handling authentication in our app. For each login request, the server generates a token and sends it to the front-end where it is stored and used to authenticate every other request.
But since the JWT is stateless it (should not be) is not stored in any database or storage. So if a user wants to logout from a particular device or logout from all the devices, he cannot logout using the traditional way of authentication using JWT. What if I tell you there is a way to solve this problem without changing the stateless nature of JWT, and without even using any secondary storage like
Redis.
Problem with using Redis for storing tokens
Redis is an open-source, in-memory data structure store, which is generally used as a database, cache, and message broker. So to implement logout from all device functionality, the token must be blacklisted and since the JWT is stateless it is not recommended to store the token in the database. So here comes the Redis which acts as an intermediate data store in which the user’s token is stored and when the user wants to logout from all the devices, the backend just gets all the user’s tokens and blacklists them. So the biggest issue in using Redis is that in this method the token is stored in a common data store that effects the stateless nature of the token. Also, it is difficult to keep track of which token is used to login with which device for a user.
Problem with using Session authentication
Although implementing logout from all devices functionality using a session is an easy task and there are many problems related to Session Authentication. First, the session id must be stored in a cookie in the browser which could bring unreliability to the authentication mechanism. Second, unlike token-based authentication, the session-based authentication is not stateless. Sessions vs Token Authentication can be a hot topic to discuss but we are not here to discuss that.
Solution
So to overcome all these problems we could create a unique token_id for every token created and send it along with the token in its payload along with the user id and store this token_id in a separate UserLogins Table which contains the login information like IP address and user-agent and two boolean fields token_deleted to check if the token is marked deleted or not and logged_out field to check if the user logged out from the device or not. So when a user wants to logout from a particular device then frontend just have to pass the id UserLogin instance in the URL and the token of that token_id will be marked as deleted and logged_out will be set as true and the user will not be able to login using that token. Hence the stateless nature of token will be maintained along with the security and reliability of token-authentication.