I am building an authentication service with python and flask and I use MongoDB to store user details.
When a user sends a request on an API that enforce the authentication service, I get the token from the request, check if the JWT is valid (I use RSA256), check if the exp is valid, and ultimately I retrieve the auth dict from the payload and check if the current API is authorised for this user. If all the previous checks are ok, I authorize the user and log him.
In my JWT payload, I also have the userId, should I use it to check that the user exists by calling the db ? In addition to that, should I also get the auth dict from the db or can I use the one from the payload ?
By default, I trust the JWT and don’t cross check the infos with the db, is it alright ?
Thanks for your help !