Hybrid JWT + session auth

[jasongitmail]

Firstly, thanks for making Lucia. I just implemented v3 and went smoothly.

I know Pilcrow isn't a fan of JWTs as part of Lucia, but I want to encourage openness toward JWTs.

A hybrid strategy like below, would bring performance & cost benefits: 1.) reduced latency by removing the database request for most authenticated requests, & 2.) reduced DB usage. It could be optional.

Inspiration

Credit to @benawad: https://youtu.be/CcrgG5MjGOk?t=427

On Successful Login

1. Generate session ID.
2. Store in DB's sessions table (id, user_id, expires_at).
3. Set two cookies containing JWTs:
   • access_token (short expiration; e.g. 15min-4h)
   • refresh_token (longer expiration; e.g 30 days)

Each contains session ID and user ID.

Incoming Requests

1. Verify access_token JWT (i.e. signature valid and not expired)
   • If valid, allow access to protected route.
   • If invalid, continue below.
2. Verify refresh_token JWT (i.e. signature valid and not expired)
   • If invalid, return unauthorized.
   • If valid, continue below.
3. Query DB to confirm session ID is still valid and not expired.
   • If invalid, return unauthorized.
   • If valid, continue below.
4. Create new JWTs containing same data as before:
   • Create new access_token with extended expiration.
5. Optionally, extend refresh_token expiration to today+30 days.
   • Update expires_at in DB's sessions table.
   • Create new refresh_token with this expiration.

On Successful Logout

1. Delete session from DB's sessions table.
2. Delete access_token and refresh_token cookies.

How to expire all of a user's sessions, if needed.

Optional and rarely needed, but shows how to accomplish it if needed.

1. Store a session_nonce on the user's table, default to 0.
2. When creating a refresh token, include the session_nonce within its data.
3. When validating refresh_token, check if its session_nonce matches session_nonce in the
   user's table. If not, consider the refresh token invalid and clear the user's access_token and
   refresh_token cookies.
4. Delete session from DB.

The user will retain access for the remaining duration of their access_token.

__

Although security-critical applications, like banking, would want database sessions for immediate session revocation, a huge swath of consumer apps would benefit from performance and cost benefits provided by a hybrid JWT + session strategy.

[LucasChau]

This introduces the drawback of JWTs, as you mentioned, access tokens cannot be invalidated immediately. There is no way to immediately sign out a compromised account / malicious bot that holds the access token in memory from accessing the system.

If this is not a concern, why not just implement a pure JWT strategy instead of a hybrid strategy? Can you explain the advantages of keeping the session table in this case?