What is the combined benefit of using (1) JWT + (2) as session tokens + (3) with database?

[jayliew]

Can someone help me understand the combined benefit of using 3 separate things together: JWT as a session token with a database? Pros and cons?

Clarification: This is not a question about JWT alone, by itself but 3 things combined: (1) JWT (2) as session token (3) used with a database.

My setup: No 3rd party OAuth Provider, just "Credentials" as the Provider (i.e. username + password). I have a database.

Related:

• Can the same JWT from NextAuth be used as the Bearer token for GraphQL API access from the client side? (e.g. using Apollo)

[StefanSelfTaught]

See more here: https://next-auth.js.org/faq#json-web-tokens

I don't see why it can't be used as a Bearer token.

[jayliew]

Noted on the Bearer token question ... I will have to try out it and see if that works (thanks!)

I have updated my main question to clarify it more.

This is not a question about JWT alone, by itself. My question is about 3 things combined: (1) JWT (2) as session token (3) used with a database.

From the documentation:

NextAuth.js supports both database session tokens and JWT session tokens.

If a database is specified, database session tokens will be used by default.

If no database is specified, JWT session tokens will be used by default.

You can also choose to use JSON Web Tokens as session tokens with using a database, by explictly setting the session: { jwt: true } option.

I'm trying to understand the pros and cons of the following 2 options:

1. using a database + JWT + JWT used as session tokens
2. using a database + JWT + JWT NOT used as session tokens

[iaincollins]

Can someone help me understand the combined benefit of using 3 separate things together: JWT as a session token with a database? Pros and cons?

Great question!

Advantages of using a database are you a can persist users while not logged in and generally need it for things like any service that has any sort of ordering / payment / billing, for persisting user identity while offline, persisting Access Tokens and Refresh Tokens, etc.

You would want to persist users in a database almost any time you have content a user can edit and modify, but if a site is using auth to grant read only access and no billing is involved, you likely don't need a database.

Using JWT with database gives you all these advantages (as users are persisted somewhere) but is:

• Typically cheaper than using database sessions (less hits to a database; only needs to hit the database at sign in)
• Typically faster than using database (as no round-trip from a serverless function to a database required)
• Typically easier to scale (for the above reasons)

A disadvantage of using JWT for sessions (instead of using database sessions) is you can't do things like allow users to expire sessions they might have on on remote devices (e.g. where they realise they have forgotten to sign out from a computer or device they no longer have access to) and you can't easily limit how many times someone can be signed in.

These are not native features of NextAuth.js (but are possible), and are probably fair to consider edge cases.

Can the same JWT from NextAuth be used as the Bearer token for GraphQL API access from the client side? (e.g. using Apollo)

You cannot read the JWT for NextAuth.js from client side JavaScript, to prevent session hijacking it is stored as a HTTP Only (aka "server only") cookie, but if the Apollo endpoint was on exactly the same domain (e.g. example.com/api/apollo) then it could be passed as a regular cookie when calling the endpoint via fetch() - but would not be as a Bearer Token.

Alternatively, you can always "proxy" requests to your GraphQL backend via you own /api/ endpoint and pass the JWT and/or generate a JWT and insert it as the Bearer Token. on the fly (less efficient but much simpler and easier to get working).

There are also other longer, more complicated answers, but I hope this is somewhat helpful.

[balazsorban44]

@iaincollins

you can't easily limit how many times someone can be signed in.

If you refer to concurrent logins, we actually solved this without a DB (using node-cache) at work. I think it's because we don't use a serverless target for deployment though, but so far we haven't seen any good reasons for serverless.

With an in-memory cache like this, I think even remote logouts are also feasible, using token revocation and short token lifetimes.

[franky47]

@balazsorban44 How do you handle your server restarting (deployments, unplanned downtime, maintenance, etc) ?

I use a separate Redis instance to store a blocklist of invalidated JWTs (or rather their tokenID to avoid strong the whole thing) to implement the "log out from all other sessions" user story, with keys expiring at the same time as the JWT itself.
It could have been done just in memory, but if the server restarts then invalidated tokens would be accepted again, without some sort of persistence.

[balazsorban44]

https://gist.github.com/balazsorban44/86a98410c0365c4958d0e86114c3469d here is our implementation.

Currently had some problems which I have to debug, so I cannot say it's 100%, but it could give some ideas at least.