Shipping production software requires a lot of housekeeping; so much so that many developers mentally block out just how much time a day they spend endlessly shepherding their work through the release lifecycle. Does the pull request have merge conflicts? Are tests passing? Is the linter happy? Is some other automated check failing?

Most of these failures require intervention; whether it’s a finicky spec failing in a test suite or something more serious like a merge conflict. Intervening on behalf of multiple in-flight features, at a certain point, is a full time job. I set out a long time ago (maybe more on that in another post) to fix one of these problems because of the unappreciated amount of risk it poses to releasing software: merge conflicts.

I finally felt compelled to write this after reading a little tidbit from a blog posted on Hacker News containing this perennial piece of technoFUD

One of the downsides with JWTs is that banning users or adding/removing roles is a little harder if you need the action to be immediate.

…

Since the token is stored client side, there is no way to directly invalidate the token even if you mark the user as disabled in your database. Rather, you must wait until it expires.