Right guys?

  • Lmaydev@programming.dev
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Once a token is issued it is valid until it experies. There is no way to disable a token short of changing the secret used to sign them which would invalidate all existing tokens for all users.

    • Mic_Check_One_Two@reddthat.com
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      I actually suggested exactly that elsewhere. It would be a nuclear option, for sure. Since it would require every single user to log back in. But it would 100% without a doubt stop the attacker in their tracks.

    • Natanael@slrpnk.net
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      That’s bad design because you can bind a user token to a per-account value which can be rotated to deprecate tokens