Should I store JWT tokens in redis?

node.js mongodb express redis jwt
31,913

Solution 1

TLDR: If you want the capability to revoke the token at some point, yes, store it in something fast like Redis.

One of the well documented drawbacks of using JWT is that there's no simple way to revoke a token if for example a user needs to be logged out or the token has been compromised. Revoking a token would mean to look it up in some storage and then deciding what to do next. Since one of the points of JWT is to avoid round trips to the db, a good compromise would be to store it in something less taxing than an rdbms. That's a perfect job for Redis.

As suggested in the comments a good approach is to make the list a blacklist (i.e. a list of invalidated tokens). Upon each request you look up the list to ensure the token is not present in it. You can further improve on memory space and performance during the lookup step by using a probabilistic algorithm to store the token. A simple approach is to have layered lookups. For instance, you could have a small in-app store that only tracks the first few (e.g 1 to 4) bytes of your blacklisted tokens. Then the redis cache would track a slightly more complete version of the same tokens (e.g. first 2 to 8 bytes). You can then store a full version of the blacklisted tokens using a more persistent solution (filesystem, rdbms, etc). This is an optimistic lookup strategy that will quickly confirm that a token is absent from the blacklist (which would be the more common case). If a token being looked up happens to match an item in the in-app blacklist (because its first few bytes match), then move on to an extra lookup on the redis store, then the persistent store if need be. Some (or all) of the stores may be implemented as tries or hash tables. Another efficient and relatively simple to implement data structure to consider is something called a Bloom filter.

Obviously, you'd have to adapt the above approach if you routinely blacklist millions of long-lasting tokens (which may also indicate that you have a different problem).

Solution 2

You can use Redis for storing jwt label. Redis is much faster and convenient for storing such data. The request to Redis should not greatly affect the performance. You can try the library jwt-redis

Share:
31,913
manish keer
Author by

manish keer

Updated on September 14, 2021

Comments

  • manish keer
    manish keer over 2 years

    I'm building an application with ExpressJS, Mongodb(Mogoose). Application contains routes where user has to be authenticated before accessing it.

    Currently I have written a express middleware to do the same. Here with the help of JWT token I'm making mongodb query to check whether user is authenticated or not. but feel this might put unnecessary request load on my database.

    should I integrate redis for this specific task?
    does it will improve API performance? or should go ahead with existing mongodb approach?

    would be helpful if I get more insights on this.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Nodejs/mongodb- Checking if a user has Admin privileges (token based auth)
Finding an Embedded Document by a specific property in Mongoose, Node.js, MongodDB
How to return Mongoose query results without callback
How to get the response time in node js
Trouble with PUT request using Node.js (express), Angular, and MongoDB
I'm a complete newbie, how can I learn Node.Js + Express + MongoDB?
Mongodb aggregate $push with $cond and $each
ExpressJS & Mongoose REST API structure: best practices?
Postman raw data works but form-data not works on POST request in node
How can I sort and limit with Mongoose