adonis jwt authentication how find the user without store it on the database

[farshadfahimi]

I'm a little confused for know how adonis defined the user token while it's not store in the database.

I have a controller like bellow

class UserController {
    async login({ auth, request }) {
        const { email, password } = request.all()

        return await auth.attempt(password, password)
    }
}

it return a currect jwt token but when I'm checking the tokens table it's empty.
I want to know adonis how defined the user by this token in other requests?

because in some other routes I'm retrive the users data by token and it return the currect user

[thetutlage]

JWT tokens are self contained and not stored inside database at all. I suggest reading about JWTs in general. https://jwt.io/

[aymanatmeh]

Hello First of all let explain some points about JWT
1- User requests access token by providing credentials
2- you shall receive access_token and refresh_token (https://adonisjs.com/docs/4.1/authentication#_withrefreshtoken)
3- you can provide non-sensitive user info in payload to do validations (https://adonisjs.com/docs/4.1/authentication#_generateuser_jwtpayload_jwtoptions)
4-tokens will expire as you define in config/auth.js
jwt: { serializer: 'lucid', model: 'App/Models/User', scheme: 'jwt', uid: 'email', password: 'password', options: { secret: Env.get('APP_KEY'), expiresIn: '15m' } },
5- giving a refresh_token will generate a new access_token for the user for another 15mins as the example above.

Do we need to save our access Tokens ?
well this is a debate , but lets imagine this scenario , you are giving a jwt token that expiresIn:12 hours , and you need to revoke this token . you can revoke refresh_token immediately , but access token will remain active for 12 hours .

therefore , some tech companies store access_tokens in a safe place so they can black list them at anytime even if they are active (login must apply in app level) .