My FeedDiscussionsHeadless CMS
Sign in
Log inSign up
Learn more about Hashnode Headless CMSHashnode Headless CMS
Collaborate seamlessly with Hashnode Headless CMS for Enterprise.
Upgrade ✨Learn more
mathew adetunji

1 like

·

115 reads

3 comments

José Pablo Ramírez Vargas
José Pablo Ramírez Vargas
Dec 11, 2022

Don't save tokens in the database. It is the same as saving a user's password in clear text.

·
·2 replies
mathew adetunji
mathew adetunji
Author
·Dec 12, 2022

Thanks for the comment and for pointing that out, how should token be handled without using third-party solutions?

·
José Pablo Ramírez Vargas
José Pablo Ramírez Vargas
Dec 12, 2022

mathew adetunji Hi. Generally speaking, the safest way to invalidate tokens is by demanding a specific minimum issued at time.

I explain the logic behind this invalidation method here. This can be refined to apply to refresh tokens only, if you wish, or invalidating per token type.

You'll also see alternative 1 that tells you to key the tokens. Then you can more safely save token keys, not tokens. I discourage this path, though, because of the extra administrative work around maintaining the keys.

·