Hiker, software engineer (primarily C++, Java, and Python), Minecraft modder, hunter (of the Hunt Showdown variety), biker, adoptive Akronite, and general doer of assorted things.
Oof, okay well thatโs not how I wouldโve done it. The JWT secret in the database itself could be a vulnerability (e.g., someone that gains read only access to the database could then use that as a wedge to create any JWT they wanted). Iโm not sure if thatโs actually worth bringing up or not (itโs a bit of an odd case).
I donโt know enough about Lemmyโs JWT design, but some JWT designs donโt store the JWT in a database at all, so the only correct response is to regenerate the secret and kill all the sessions by them failing the validity checks.