11Eki
Do you need to invalidate JWT token upon password change?
We've got an Angular app that calls APIs with JWT token authentication (so an auth token and a refresh token). Now at some point the user changes his password (while normally logged in, so not with a "reset password" logic when he can't login anymore) so we call /change-password endpoint
Currently we keep the user logged in and keep using the same tokens, but is this acceptable? Shouldn't there be some kind of invalidation?
I understand from the OWASP guidelines that all sessions should get invalidated on this case. So how do we manage that with JWT tokens?
