How to destroy JWT Tokens on logout?

node.js jwt hapijs
Garima picture Garima · Jun 22, 2016 · Viewed 135.1k times · Source

I am using jwt plugin and strategy in hapijs.

I am able to create jwt token while login user and authenticate other API using the same token through 'jwt' strategy.

I am setting the token in request.state.USER_SESSION as a cookie where USER_SESSION is a token name. Also, I am not saving these token in the database.

But how can I destroy jwt token at the time of logout?

Please suggest a way.

Answer

pedrofb picture pedrofb · Jun 22, 2016

The JWT is stored on browser, so remove the token deleting the cookie at client side

If you need also to invalidate the token from server side before its expiration time, for example account deleted/blocked/suspended, password changed, permissions changed, user logged out by admin, take a look at Invalidating JSON Web Tokens for some commons techniques like creating a blacklist or rotating tokens

Related questions

Invalidating JSON Web Tokens

For a new node.js project I'm working on, I'm thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store containing user sessions in a user's browser) to a …

Read More
JWT (JSON Web Token) automatic prolongation of expiration

I would like to implement JWT-based authentication to our new REST API. But since the expiration is set in the token, is it possible to automatically prolong it? I don't want users to need to sign in after every X …

Read More
jwt check if token expired

I've configured the token like this: jwt.sign( { user: pick(user, ['_id', 'username']) }, secret, { expiresIn: '2m' } ); But when I want to check if the token was expired, this code doesn't work function isAuthenticated() { const token = localStorage.getItem('token'); …

Read More