I am creating an rest-api with nextjs that will be with interacting with mobile application and web application. and my question is it a bad practice to the following as authentication without checking sessions. mysql scheme.
Table users.
ID USERID EMAIL NAME CREATEDAT
TABLE ACCESS TOKEN
ID USERID ACCESSTOKEN EXPIRATIONDATE IP LASTSIGNIN
User Create an account with https post request and creates a row at users table Also create a row with ip and access token with expiration date of the token.
Access token is save at the as cookie in users webbrowser
and with every visit on pages that require log in or a post request that token is matched with access token and ip is match with ip in access token tab
in case of difference in ip or token expired the users will be signed out immediately.