The JWT is stored on browser, so remove the token deleting the cookie at client side

JWT 存储在浏览器上，因此删除令牌删除客户端的 cookie

If you need also to invalidate the token from server side before its expiration time, for example account deleted/blocked/suspended, password changed, permissions changed, user logged out by admin, take a look at Invalidating JSON Web Tokensfor some commons techniques like creating a blacklist or rotating tokens

如果您还需要在到期时间之前使服务器端的令牌无效，例如帐户删除/阻止/暂停、密码更改、权限更改、用户由管理员注销，请查看Invalidating JSON Web Tokens以了解一些常用技术，例如创建黑名单或轮换令牌

You cannot manually expire a token after it has been created. Thus, you cannot log out with JWT on the server-side as you do with sessions.

创建令牌后，您无法手动使其过期。因此，您无法像使用会话那样在服务器端使用 JWT 注销。

JWT is stateless, meaning that you should store everything you need in the payload and skip performing a DB query on every request. But if you plan to have a strict log out functionality, that cannot wait for the token auto-expiration, even though you have cleaned the token from the client-side, then you might need to neglect the stateless logic and do some queries. so what's a solution?

JWT 是无状态的，这意味着您应该在有效负载中存储您需要的所有内容，并跳过对每个请求执行数据库查询。但是，如果您计划拥有严格的注销功能，即使您已经从客户端清除了令牌，也不能等待令牌自动到期，那么您可能需要忽略无状态逻辑并进行一些查询。那么有什么解决办法呢？

• Set a reasonable expiration time on tokens

• Delete the stored token from client-side upon log out

• Query provided token against The Blackliston every authorized request

• 为令牌设置合理的到期时间

• 注销时从客户端删除存储的令牌

• 针对每个授权请求的黑名单查询提供的令牌

Blacklist

黑名单

“Blacklist” of all the tokens that are valid no more and have not expired yet. You can use a DB that has a TTL option on documents which would be set to the amount of time left until the token is expired.

所有不再有效且尚未过期的代币的“黑名单”。您可以使用在文档上具有 TTL 选项的数据库，该选项将设置为令牌过期之前的剩余时间。

Redis

Redis

Redis is a good option for blacklist, which will allow fast in-memory access to the list. Then, in the middleware of some kind that runs on every authorized request, you should check if the provided token is in The Blacklist. If it is you should throw an unauthorized error. And if it is not, let it go and the JWT verification will handle it and identify if it is expired or still active.

Redis 是blacklist 的一个不错的选择，它允许在内存中快速访问列表。然后，在针对每个授权请求运行的某种中间件中，您应该检查提供的令牌是否在 The Blacklist 中。如果是，你应该抛出一个未经授权的错误。如果不是，则放手，JWT 验证将处理它并确定它是否已过期或仍处于活动状态。

For more information, see How to log out when using JWT. by Arpy Vanyan

有关更多信息，请参阅如何在使用 JWT 时注销。通过 Arpy Vanyan

On Logout from the Client Side, the easiest way is to remove the token from the storage of browser.

从客户端注销时，最简单的方法是从浏览器的存储中删除令牌。

But, What if you want to destroy the token on the Node server -

但是，如果你想销毁节点服务器上的令牌怎么办 -

The problem with JWT package is that it doesn't provide any method or way to destroy the token.

JWT 包的问题在于它不提供任何方法或方式来销毁令牌。

So in order to destroy the token on the serverside you may use jwt-redis package instead of JWT

因此，为了销毁服务器端的令牌，您可以使用jwt-redis 包而不是 JWT

This library (jwt-redis) completely repeats the entire functionality of the library jsonwebtoken, with one important addition. Jwt-redis allows you to store the token label in redis to verify validity. The absence of a token label in redis makes the token not valid. To destroy the token in jwt-redis, there is a destroy method

这个库 (jwt-redis) 完全重复了库 jsonwebtoken 的全部功能，并添加了一个重要的补充。Jwt-redis 允许您将令牌标签存储在 redis 中以验证有效性。redis 中缺少令牌标签使令牌无效。要销毁jwt-redis中的token，有一个destroy方法

it works in this way :

它以这种方式工作：

1) Install jwt-redis from npm

1)从 npm 安装 jwt-redis

2) To Create -

2）创建 -

var redis = require('redis');
var JWTR =  require('jwt-redis').default;
var redisClient = redis.createClient();
var jwtr = new JWTR(redisClient);

jwtr.sign(payload, secret)
    .then((token)=>{
            // your code
    })
    .catch((error)=>{
            // error handling
    });

3) To verify-

3)验证——

jwtr.verify(token, secret);

4) To Destroy-

4)摧毁-

jwtr.destroy(token)

Note: you can provide expiresIn during signin of token in the same as it is provided in JWT.

注意：您可以在登录令牌期间提供 expiresIn 与 JWT 中提供的相同。