I am trying to implement signup and login functionality and I am using Spring Boot and java stack. I am following this tutorial(you don't have to click on it, just putting here for reference and completeness of this question).
Spring Security MySQL JWT Tutorial - Grokonez
Now I have an endpoint for signup and login. After signing up and adding user to database, I am logging in. For the sign in endpoint, I am getting a jwt token. Using this token, I am able to access restricted resources. Everything is awesome till now. Now, when I hit the signin endpoint again, I get another token.
This is where my dilemma is. Since I have two tokens, I can essentially login using two tokens. Now of course, both of these tokens have an expiry date(for example like a day). But in terms of good practice, should we invalidate the old token meaning that at any given point of time, there will be only ONE token that any user can use to login to our system?
If that's the case, would that mean that user cannot use our app simultaneously on both devices like laptop and mobile phone? In that case then, what's the upper limit on active tokens?
I have heard something about refresh token etc, but I just want to keep this simple and I am ok with having just a single token called access token.
So, if you think I should invalidate jwt and keep only one active jwt per user at any given point of time, how would I do that? Store jwts in db and do something?
If you are going to store the JWT token in the database, then, no point of using JWT token. Because, the main reason for having a self-contained, singed token is to avoid the database validation when user access the application.
I can suggest below way to avoid creating multiple active tokens.
You can keep the JWT token created time(last) in the database, and then, you can cross check the last created time (compare with the current time) when user sign in to the application.