User token revocation list

[kaustavdm]

Build a revocation list for user tokens that will have a structure like:

type UserRevocation struct {
    ID uuid.UUID // Primary key
    IAT time.Time
}

User JWT verification will follow this logic:

• Search for entry in UserRevocation by user id from JWT's iss field.
• If entry is not present, verify signature
• If entry is present, verify that UserRevocation.IAT for that entry is less than iat field of JWT.
  • If UserRevocation.IAT is less than iat field of JWT, verify signature
  • Else, fail
• Verify signature using shared secret.

Entries are added to UserRevocation list when:

• User changes their password
• User wants to force log out all connected clients
• User needs to be forced to reauthenticate.

Each entry should have a TTL of 28 days, which is the validity period of each user JWT.