Skip to content

fix(core): revoke active JWT tokens after logout#2571

Open
Sourav-kashyap wants to merge 2 commits into
masterfrom
GH-2570
Open

fix(core): revoke active JWT tokens after logout#2571
Sourav-kashyap wants to merge 2 commits into
masterfrom
GH-2570

Conversation

@Sourav-kashyap

Copy link
Copy Markdown
Contributor

GH-2570

JWT Logout Security Fix

Problem Statement

Security Vulnerability: JWT Tokens Remain Valid After Logout

Issue: When a user logs out of the system, their JWT access token remains valid until its natural expiration time, allowing the token to be used for authenticated requests even after logout.

Impact: This creates a security vulnerability where:

  1. Logged-out users retain access to protected APIs until their JWT naturally expires
  2. Session invalidation through logout is ineffective
  3. In case of security incidents, compromised tokens cannot be immediately revoked
  4. Access token lifetime becomes the effective session lifetime, regardless of logout

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • Performed a self-review of my own code
  • npm test passes on your machine

Build:

Screenshot 2026-06-19 at 6 14 25 PM

Test:

Screenshot 2026-06-19 at 6 14 41 PM

revoke active JWT tokens after logout

GH-2570
@Sourav-kashyap Sourav-kashyap self-assigned this Jun 19, 2026
@Sourav-kashyap Sourav-kashyap requested a review from a team as a code owner June 19, 2026 12:50
@Sourav-kashyap Sourav-kashyap linked an issue Jun 19, 2026 that may be closed by this pull request
value(): VerifyFunction.BearerFn {
return async (token: string) => {
// Check if token has been revoked
await checkIfTokenRevoked(token, this.revokedTokenRepo, this.logger);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where are we revoking this token actually ?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sir the token is revoked using the existing RevokedTokenRepository

on logout (idp-login.service.ts) : token is stored via revokedTokensRepo.set()

on api request (services-bearer-asym-token-verifier.ts) : token is checked via checkIfTokenRevoked() which calls revokedTokenRepo.get(token) and throws TokenRevoked error if found

The same mechanism that the authentication service and facade services already use - we just added the same check to the service-level verifiers which were missing it.

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security Vulnerability: JWT Tokens Remain Valid After Logout

2 participants