You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Move checking for blocked tokens to after other checks for validity.
When the blacklist was a straightforward - and presumably cheap - literal lookup by token value, I can see the merit for checking it first. If we care about using the contents of the token, then it's preferable to know that we can reliably decode the token.
Note that this would change the response for invalid tokens. Assuming that only valid tokens are added to the blacklist, then the only visible sign of this would be for tokens that were added to the blacklist and then later expire. An external observer would now see the expiration error first, instead of the blacklist message. If an installation is clearing expired tokens, this is essentially the same behaviour that you would get in the old code, after the token expires and is purged from the blacklist.
0 commit comments