Token Tracking with GuardianDb
• elixir and guardian
I’ve loved working on Guardian, but one thing has bothered me. When you logout, vanilla Guardian (and all vanilla JWT implementations) don’t actuall invalidate the token. All the information for the token is stored inside the token itself.
This can lead to short term expiry keys to try and keep a handle on it. Even with this, you can’t actually revoke a token, so when someone logs out, their token is still valid.
Initially my thought was to try and tie the token to the CSRF token, but this turned out not to be such a good idea (and practially impossible with masked CSRF tokens). Instead I wanted a way to keep a tight leash on tokens, when you log out they should no longer be valid. I didn’t want to load up Guardian with a bunch of database assumptions and baggage for everyones app though so it had to stay out of Guardian core.
The result is GuardianDb. This is a simple plugin that integrates via Guardian.Hooks.
With it:
- Every token is stored in the database (keyed by the jti - uuid)
- When it is encoded, a database entry is created
- Every time you verify (page request) a token it is checked. If the entry is missing, it does not verify
- When you logout, or call
Guardian.revoke!
the entry is removed
You can also clear out stale tokens by
using GuardianDb.Token.purge_expired_tokens!
Setup is simple (and included in the README.md). Generate the migration and then add to your config:
You’ll need Guardian 0.6.1 or greater to have the right hooks available.