Auth implementation is not secure. #4
Description
I don't believe that this system is very secure, as:
- There is no way to invalidate tokens.
- On logout, the user is simply passed an expired token.
- This means that a bad actor could easily use the old token to access the account.
- Only safeguard is sending the token as an httpOnly cookie, which merely prevents scripts from accessing the token on supported browsers.
In general, JWTs should have short times to expiry unless they can be revoked (such as by using a whitelist/blacklist on server).
Decreasing the JWTs time to live will only decrease user satisfaction by requiring more frequent re-logins.
The best way to solve the issue (in my opinion) would be to save some kind of session-based approach. This will reduce the scalability of the app, though this could be improved by implementing a dedicated auth server or by using a 3rd party authentication provider.
Not sure whether this is in the scope of the project, but I wanted to get these concerns out there just in case anyone is considering using this auth scheme in their own projects.