fix(core): revoke active JWT tokens after logout#2571
Open
Sourav-kashyap wants to merge 2 commits into
Open
Conversation
revoke active JWT tokens after logout GH-2570
samarpan-b
requested changes
Jun 20, 2026
| value(): VerifyFunction.BearerFn { | ||
| return async (token: string) => { | ||
| // Check if token has been revoked | ||
| await checkIfTokenRevoked(token, this.revokedTokenRepo, this.logger); |
Contributor
There was a problem hiding this comment.
where are we revoking this token actually ?
Contributor
Author
There was a problem hiding this comment.
sir the token is revoked using the existing RevokedTokenRepository
on logout (idp-login.service.ts) : token is stored via revokedTokensRepo.set()
on api request (services-bearer-asym-token-verifier.ts) : token is checked via checkIfTokenRevoked() which calls revokedTokenRepo.get(token) and throws TokenRevoked error if found
The same mechanism that the authentication service and facade services already use - we just added the same check to the service-level verifiers which were missing it.
fix trivy GH-2570
SonarQube reviewer guide
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



GH-2570
JWT Logout Security Fix
Problem Statement
Security Vulnerability: JWT Tokens Remain Valid After Logout
Issue: When a user logs out of the system, their JWT access token remains valid until its natural expiration time, allowing the token to be used for authenticated requests even after logout.
Impact: This creates a security vulnerability where:
Type of change
Checklist:
Build:
Test: