JWT Invalidation and Custom JWT Construction #100
Description
Description
There are currently two issues with JWTs
- They are not invalidated post logouts
- They are not validated centrally through an API
- They cannot include custom fields that are configured as part of the application
Changes
- @Amruth-Vamshi to create the JWT Store and APIs to validate/invalidate a JWT token. Can only be done through a valid JWT header for the same user. Parse the JWT to figure out the
suband use that to invalidate the token. Ensure all custom fields are added as part of the user metadata. - @KDwevedi to setup FA application JWT setting in such a way that custom fields (OTP, Phone, Fingerprint, Timestamp) are added as part fo the JWT.
- @singhalkarun to setup a Caddy Module to validate certain APIs through this module. @KDwevedi to write the module code. | Deprioritized
- @KDwevedi to setup AuthGuard to all relevant services. (BFF, TS)
- @singhalkarun + Divij to deploy these changes to dev
- @KDwevedi to setup E2E test case - bash script to test this out
- Prateek to update the client to send all these params, and validate when the JWT comes back as a response, in failure cases - raise the appropriate error - "The user has been logged out, please login again". Raise a PR to the Kumbh frontend and get these merged.