this post was submitted on 12 Mar 2024
12 points (87.5% liked)
Lemmy
12519 readers
76 users here now
Everything about Lemmy; bugs, gripes, praises, and advocacy.
For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
One thing to be aware of is that there is ~~currently, AFAIK, no~~ now (since 0.19.3) a way to "disable" a JWT.
Before that, once you had created it, if you leaked it, your account was, as far as I can tell, definitely compromised.
Now, it is possible to logout, to mark the JWT as "invalid".
I will add, ~~as a disclaimer, that I have not checked if~~ that as Nutomic highlighted below, there are conditions (password change, etc) under which ~~any or~~ all JWT (user, ~~instance, etc~~) become invalid. ~~So do audit the code if this is something that concerns you. As far as I am concerned, I treat the JWTs as extra-sensitive information, and store them only on machines I own~~.
Edit: correct information in the light of Nutomic's comments.
The jwt is invalidated once you logout. You can also change/reset your password to invalidate all login tokens for your account.
Invalidated how?
OK. I was afraid this would not be the case. Thanks for confirming.
Well it's deleted from the database so you can't authenticate with it anymore.
OK there now is a
LoginToken
class. This was not the case last time I checked. Good. Thanks for your answers.