Message from JavaScript discussions

January 2018

— And a DB table just for blacklisted tokens that you check every time

— 

I would not use jwt unless you fully understand how jwt works and how it should be used, and not be used

— Even if you use a library, it can't protect you from misusing it

— Wat? That defeats the purpose

— It's the only way to "revoke" tokens

— Then in addition you can run randomized GC on the table to clear out expired tokens

— So you actually store tokens

— If you need a DB you can just avoid jwt entirely and use normal stateful sessions

— You have to store them to "revoke" them, yes

— Otherwise, there is no way to stop an attacker from using the token

— You should detect CSRF attempt and blacklist the jwt

— Which is by design