module Devise::JWT::RevocationStrategies::Allowlist

This strategy must be included in the user model.

The JwtAllowlist table must include `jti`, `aud`, `exp` and `user_id` columns

In order to tell whether a token is revoked, it just tries to find the `jti` and `aud` values from the token on the `allowlisted_jwts` table for the respective user.

If the values don't exist means the token was revoked. On revocation, it deletes the matching record from the `allowlisted_jwts` table.

On sign in, it creates a new record with the `jti` and `aud` values.

Public Class Methods

jwt_revoked?(payload, user) click to toggle source

@see Warden::JWTAuth::Interfaces::RevocationStrategy#jwt_revoked?

# File lib/devise/jwt/revocation_strategies/allowlist.rb, line 29
def self.jwt_revoked?(payload, user)
  !user.allowlisted_jwts.exists?(payload.slice('jti', 'aud'))
end
revoke_jwt(payload, user) click to toggle source

@see Warden::JWTAuth::Interfaces::RevocationStrategy#revoke_jwt

# File lib/devise/jwt/revocation_strategies/allowlist.rb, line 34
def self.revoke_jwt(payload, user)
  jwt = user.allowlisted_jwts.find_by(payload.slice('jti', 'aud'))
  jwt.destroy! if jwt
end

Public Instance Methods

on_jwt_dispatch(_token, payload) click to toggle source

Warden::JWTAuth::Interfaces::User#on_jwt_dispatch

# File lib/devise/jwt/revocation_strategies/allowlist.rb, line 41
def on_jwt_dispatch(_token, payload)
  allowlisted_jwts.create!(
    jti: payload['jti'],
    aud: payload['aud'],
    exp: Time.at(payload['exp'].to_i)
  )
end