Is it possible to invalidate users if using jwt?

[s-kris]

Your question
Is it possible to invalidate a user after they create an account/login?

What are you trying to do
I'm using next-auth with JWT.
Example:
A user is logged into application with facebook. We delete/suspend the account from database. But the user is still loggedin to the application and jwt token is still valid. Is there a way to invalidate the user login and JWT token?

Feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.

• Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

[iaincollins]

Great question!

No it's not is the short answer, this is one of the challenges for JWT.

The best way around this that folks usually use to address this situation is to have a short session expiry time (e.g. 10-15 minutes) and use logic when refreshing the token to check to see if an account is still valid / flagged / etc. In the case of NextAuth.js, this logic would typically be placed in thejwt callback.

NextAuth.js actually has some great options if you want to do this, you can set clientMaxAge and keepAlive times in _app.js which will have Single Page Apps automatically refresh tokens if an app is open and running in the background, so that it works well every for very short expiry times.

https://github.com/nextauthjs/next-auth-example/blob/main/pages/_app.js

The only downside to short session expiry times is that the user will need to sign in again if the session expires - which might be fine depending on the context of the app. If their account is still enabled and not blocked, it should be as simple as clicking the sign in button again (in theory you could even automate this with silent login if you wanted to get fancy, though NextAuth.js doesn't include explicit code to do this for you currently).

[s-kris]

Thanks @iaincollins sorry for not mentioning explicitly,
I generally use silent refresh in my spa apps.

Can we add jwt token invalidation by checking if user account is present in the database upon appLaunch/routeChange in core Next-Auth lib itself?

[stale]

Hi there! It looks like this issue hasn't had any activity for a while. It will be closed if no further activity occurs. If you think your issue is still relevant, feel free to comment on it to keep ot open. Thanks!

[stale]

Hi there! It looks like this issue hasn't had any activity for a while. To keep things tidy, I am going to close this issue for now. If you think your issue is still relevant, just leave a comment and I will reopen it. (Read more at #912) Thanks!

[nhuethmayr]

Is this still the case? Why not use the session() callback and omit returning the user property if it got disabled/deleted? From what I can see this immediately causes every backend route to return HTTP 401

Couldn't useSession() or getSession() make use of those HTTP 401 to trigger a redirect?