Sunday, September 4, 2022

[FIXED] How to manage multi-device simultaneous login with JWT tokens?

      , , , ,      No comments   

Issue

My query is regarding supporting multi-device login for the same user at the same time using JWT tokens. I am using NestJS as my backend.

User table: userid, username, password(contains hashed password), name, refreshToken(contains hashed refresh token)

When the user does a /api/login call, on having a valid username and password, the access token and refresh token are generated using jwt passport library. The refresh token is hashed and stored in the refresh column of the user table for that particular user and the access token and the refresh token are sent to the client through the response.

During the /api/refresh call, the refresh token sent by the user is validated with the hashed refresh token that is present in the user table for that user and then, a new access token and a new refresh token are generated. The new refresh token is hashed and updated in the user table refreshToken column for that same user row.

This flow works perfectly for a user logged in with a single device. When the same user gets logged in using multiple devices at the same time, during login, the refresh token is updated in the refreshToken column of the user table for the same user row, which makes us lose an existing/valid refresh token for the same user.

Flow:

  1. user 1 logs in using device 1 --> refreshToken column for user 1 is updated with a new refresh token
  2. user 1 logs in using device 2 --> refreshToken column for user 1 is overwritten with a new refresh token and we lose the refresh token that was created for device 1

I would like to know what would be the best industrial practice to manage the JWT refresh flow for a user logged in with multiple devices at the same time?


Solution

The simplest way would be to keep the refresh tokens in a separate table. Usually, refresh tokens are kept separately from the user's account data, as the user can have more refresh tokens active at any given time. Whenever a refresh token is used you can find the concrete token and create a new one in its place.

By the way, there is no need to hash the refresh tokens kept in your database. They are unique to your system, they're not passwords.



Answered By - Michal Trojanowski
Answer Checked By - Candace Johnson (PHPFixing Volunteer)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...