ARTICLE AD BOX
I’m developing a web application for pharmacovigilance similar to VAERS and some UN health reporting dashboards. The app is built with .NET 8, Entity Framework Core, and MySQL.Users are medical professionals with roles like Doctor, Nurse, Pharmacovigilance Specialist, etc. Users should log in using email and password. I want to return a JWT token upon login, but I’m unsure if I should store the token and refresh token in the database or just return it to the client.The app will record adverse event reports, similar to https://vaers.hhs.gov/ , so security and proper role-based access control are essential.
Here’s my current login implementation:
public async Task<UserResponseDTO> LoginUserAsync(LoginUserDto userDto) { var savedUser = await _identityManager.CheckCredentialsAsync(userDto.Email!, userDto.Password); if (savedUser is null) throw new Exception("Invalid credentials"); return new UserResponseDTO { Id = savedUser.Id, UserName = savedUser.UserName!, Email = savedUser.Email!, UserRole = savedUser.UserRole!, Token = await _jwtTokenGenerator.GenerateToken(savedUser) }; }I want to implement this securely and follow best practices for medical data, JWT authentication, and role-based access in MySQL.
My QUESTIONS:
Should I add Token and RefreshToken columns to the User table, or is it better to only return the JWT to the client?
How can I safely implement refresh tokens if multiple devices per user are allowed?
Are there best practices for storing sensitive medical user data in MySQL while integrating with JWT authentication?
