Am creating a node.js backend app using JWT. For me the requirement is simple, that the authorization token shouldn't have any expiry time. But I am facing problem during invalidating JWT When user changes his password.
When user changes his password, I will create a new JWT Token, and delete the old token, but still the user can use his old JWT token (from other logged in devices) and can access the application.
So can anyone tell me how to avoid this scenario?
Looks like a familiar question to me, I have already answered the similar question Best practices to Invalidate a JWT Token .
So the steps for solving ur problem as follows,
when user login, create a login token in his user database with no expiry time.
Hence while invalidating a JWT, follow the below steps,
So basically you need to store tokens in user's database and make use of it while invalidating. Simple :)