Home > database >  Updating Auth0 JWT without invalidating sessions
Updating Auth0 JWT without invalidating sessions

Time:10-11

I have an app using Auth0, made with ReactJS and NodeJS. Things are working fine for the most part.

The design is such that we decorate each request with an admin flag, and I have the Auth0 profile encoded in my JWT token.

This way I can do things like:

  server.route({
    method: 'POST',
    url: '/.../...',
    preValidation: server.authenticate,
    handler: async (req, res) => {
      const { user } = req;
      if (!user['admin']) {
        ...
      }
      ...
    }
  });

I am happy, with this approach, except for one problem that I have not resolved. How to deal with a request coming from the user to update their own profile. After the profile is updated, JWT stays the same and has outdated profile information.

Can anything be done about this, short of logging users out on each profile update? Is there a way to update JWT without ending the session?

CodePudding user response:

This is practically impossible as it defeats the purpose of statelessness of jwts. However, in this particular usecase, after the profile is updated, you can create a new jwt and add it as part of the response, so the client picks up on the new token and uses it for further requests

CodePudding user response:

Based on my research, the solution is to:

Repeat the login automatically after each profile update or notify the end-user that and let them choose if they want to repeat the login.

  • Related