I'm working on an API using Node and Express, with a Mongo database. My users can authenticate using a route, and they get a JWT in exchange.
I want to implement a security mechanism to protect said tokens. Namely, I want the tokens to auto-revoke when a user changes their password, and provide a "Revoke all apps" button, that would invalide all created tokens.
To do so, I added a nonce in the JWT body, which is a random v4 UUID. When the user changes their password or click the button, a new UUID is generated, causing a de-facto revocation of all tokens - since the JWT's body won't match what's coming from the database.
Is this a good approach? I can't think of a way this would be broken, is there anything I overlooked?