I have this schema for my OAuthTokens table
mongoose.model('OAuthTokens', new Schema({
accessToken: { type: String },
accessTokenExpiresOn: { type: Date },
client : { type: Object },
clientId: { type: String },
refreshToken: { type: String },
refreshTokenExpiresOn: { type: Date },
user : { type: Object },
userId: { type: String },
}));
Whenever I log in, I generate a new access token for that.
How to handle access tokens when I log in the same account with multiple machines. Do I have to generate access token for each? And while logging out, is it ideal to remove the entry from the database, or we should expire the token?
It's difficult to answer because the contents of an access token, and how a resource server processes it, vary a lot.
Generally you should not need to generate different tokens for the same users on different machines.
Access and refresh tokens relate to delegated permissions which a user has consented for a certain application. Most APIs I've seen do not care about the authentication details - they tend to use the authorisation details.
However, there may be authentication information in the access token (e.g. IP address, method of authentication, local machine name) and it's conceivable that the resource server (which you present an access token to) uses this information to determine whether to process a request.
My guess is you could reuse them, but to know for sure you should check with the author of the API which consumes the access tokens you store.
Note you are not really logging in or out users with an access token - you should use an ID token for that scenario. An ID token is designed to allow your application to authenticate a user. Whereas an access token is designed for your application (client) to obtain and use against another application (resource).