Should I store JWT tokens in redis?

Question

I\'m building an application with ExpressJS, Mongodb(Mogoose). Application contains routes where user has to be authenticated before accessing it.

Currently I have writt

Answer 1

You can use Redis for storing jwt label. Redis is much faster and convenient for storing such data. The request to Redis should not greatly affect the performance. You can try the library jwt-redis

Answer 2

TLDR: If you want the capability to revoke the token at some point, yes, store it in something fast like Redis.

One of the well documented drawbacks of using JWT is that there's no simple way to revoke a token if for example a user needs to be logged out or the token has been compromised. Revoking a token would mean to look it up in some storage and then deciding what to do next. Since one of the points of JWT is to avoid round trips to the db, a good compromise would be to store it in something less taxing than an rdbms. That's a perfect job for Redis.

As suggested in the comments a good approach is to make the list a blacklist (i.e. a list of invalidated tokens). Upon each request you lookup the list to ensure the token is not present in it. You can further improve on memory space and performance during the lookup step by using a probabilistic algorithm to store the token. A simple implementation is to not store the entire token in the redis blacklist. Just store the first few characters of the token. You can then store a fuller version of the blacklist using a more persistent solution (filesystem, rdbms, etc). This is an optimistic lookup that will still quickly tell you that a token is not present in the blacklist (which would be the more common case). If a token being looked up happens to match an item in the redis blacklist (because its first few characters match), then move to an extra lookup on the persistent store. Another more efficient and relatively simple to implement algorithm for this is something called a Bloom filter.