Hello, does anyone know how it is possible to destroy a token in NodeJS? I am using JWT to do a password reset, then I send an url to the user by email with a token, the system verifies the token using jwt.verify()
and if it is correct it updates the password, the problem is that this token is active let's say it has a duration of 1h, and to give it more security I would not like this token to remain there being valid for 1h, so what I want to do is destroy the token which I have after updating the password so that it can only be used one time. How can this be done with jwt?
A JWT token cannot be revoked . JWT is mainly used for system authentication , not as a process identifier. Yours can be done in two ways:
Using a table
The following example is using sequelize and moment :
When a password reset request comes in, you check if the deadline has already expired:
Using a token
Using a token is similar, when the password reset request is made you generate the token with a maximum time.
This token is saved in
sessionStorage
:And when the recovery button is clicked, the request is sent to the frontend from there to send the request to the backend by sending the token.
When the backend receives the token, it checks if it has not yet expired:
At the end of this process, if the token has not expired, it will be redirected to:
http://tuapp.com/[email protected]
, where you must put a form to update the password and send the queryemail
.It should be noted that the token must be removed from
sessionStorage
if it has already expired or if the password has already been changed.