Purpose of Session module

[LucaAndrei]

What is the purpose of the session module?
Doesn't it defeat the purpose of stateless authentication with JWT when you are storing the session in the DB?
Are you storing the session to invalidate a user's session or to be able to blacklist a refresh token?
Thanks

[Shchepotin]

@LucaAndrei

What is the purpose of the session module?

Session module needs for the Refresh Token flow

Doesn't it defeat the purpose of stateless authentication with JWT when you are storing the session in the DB?

Access tokens are still stateless

Are you storing the session to invalidate a user's session or to be able to blacklist a refresh token?

For now "to be able to blacklist a refresh token"

[moris-moze]

@Shchepotin What's then the purpose of storing sessionId in the JWT (not refresh JWT) when signing it?

Code:

await this.jwtService.signAsync(
  {
    id: data.id,
    role: data.role,
    sessionId: data.sessionId,
  },
  {
    secret: this.configService.getOrThrow('auth.secret', { infer: true }),
    expiresIn: tokenExpiresIn,
  },
),

[Shchepotin]

@moris-moze for logout flow

nestjs-boilerplate/src/auth/auth.controller.ts

Lines 101 to 109 in aeb15ff

	@ApiBearerAuth()
	@Post('logout')
	@UseGuards(AuthGuard('jwt'))
	@HttpCode(HttpStatus.NO_CONTENT)
	public async logout(@Request() request): Promise<void> {
	await this.service.logout({
	sessionId: request.user.sessionId,
	});
	}