I have a mobile application made with swift and used php/mysql for the backend.
At the moment, when a user signs in, I check the username and password against the credentials stored inside mysql. If the it is a match, a JWT is created using the secret key I have stored inside a .env file. It's then saved inside iOS keychain to be used whenever necessary inside the application.
I have a few issues with the use of JWT:
Expiry time - What is an ideal expiry time? I've read anything from a week to not setting one at all. Obviously this depends on the application, as I imagine a banking app will need a much shorted token.
Someone else has the accounts username and password - Lets say person A owns an account, but person B somehow has the necessary credentials to log in. Therefore, person A wants to reset there password as someone else has unwanted access to there account, but person B is still logged in after the password of the account has been reset because the JWT hasn't expired. How do you protect against this so when person A password is reset, person B no longer has access with the use of JWT?
I've also read about refresh tokens but can't seem to come across any definitive info on how it's used inside a mobile application.