fix: JWT IP bound for enhanced security

[ymohit1603]

PR Fixes:

#1156

Checklist before requesting a review

• I have performed a self-review of my code
• I assure there is no similar/duplicate pull request regarding same issue

[MeerUzairWasHere]

I think, he said, if someone steals my jwt. but you're passing ip in jwt also? or I'm missing anything?

[ymohit1603]

Yeah,in this case we are signing jwt with ip address along with the traditional payload thing in the middleware when we are verifying the signed jwt it will return us the payload and the previous ip address used to sign it and then we can check if current ip is equal to the ip that signed the jwt.I think there is no need to store ip address in db when we can just sign the token with ip itself (:

[ymohit1603]

Although that person knows jwt but he doesn't know the secret used to sign and he will be unable to decode the jwt to get the ip

[MeerUzairWasHere]

Makes sense.

[Smnthjm08]

Question: Wouldn't it be better if we store token and IP Address in redis? @ymohit1603

[ymohit1603]

I am a bit confused why we need to store the JWT tokens in db. JWT is used for stateless authentication where we don't need to store the tokens in db or anywhere else , but instead we let clients keep it and we just need to verify the signature on server.
Although i think redis is a more efficient way for storing jwt than relational db.