Token still valid if JWTUniqueID is null or 0

[Martimiz]

If I change the existing JWTUniqueID to something different in the database, like 'XXX', the token is no longer valid. But if I change it to 0 or null, it becomes valid again. So resetting the token from the cms doesn't work.

Probably because the jti claim (that is created on that value) then becomes empty as well, and as it is optional, it won't be used.

Possible solution: set JWTUniqueID to something invalid ánd unique to disable it. For example $member->ID works - although not very secret :)

[Firesphere]

Apologies for my very delayed response. I've not had time to work on this module for a while.

I've added a bug label, because this indirectly gives an option to bypass the JWT method and yet still be authorised.

A solution I have been wanting to implement, would be to properly use a long and short token, where the long token is used to renew the short token, instead of an expired token.

[Martimiz]

No problem, I completely understand 😊

I was thinking should there be a way to at least optionally use the JWT without having to hit the db (member) for every request? Authenticate once, then authorize until expiry, like I understand JWT was originally meant to work? A short token/long token could then be used to check once if the user is still valid, then renew...

Or is that not really feasable or sensible in SilverStripe graphQL, especially since SilverStripe authentication is normally done on the same server/db anyway?

[Firesphere]

Agreed, the full implementation of JWT isn't in here yet. But for permission reasons, the database is being hit.