Jwt-auth: After Blacklisting a token I can still refresh it.

Created on 25 Mar 2017  路  7Comments  路  Source: tymondesigns/jwt-auth

I discovered what I think of as a Critical issue with the development branch. If I blacklist a token (logout), I can refresh it and then use it again without re-authenticating...

Here is the series of things I'm doing to reproduce.

login

hit a protected route (jwt.auth) -> let's me in

logout (blacklist/invalidate the token)

hit the protected route again (401 unauthorized your token has been blacklisted message)

hit the refresh endpoint (jwt.refresh) -> 200 OK

hit the protected route again (jwt.auth) -> let's me in!

I've already checked I have blacklist enabled, and I don't have a grace period on blacklisted tokens.

picture isaackearl
👍1

Most helpful comment

Just looked at this again, and you're correct. The regression was introduced here

Going to push a fix now and do some more investigation

picture tymondesigns on 25 Mar 2017
👍2 😄1

All 7 comments

Just looked at this again, and you're correct. The regression was introduced here

Going to push a fix now and do some more investigation

tymondesigns picture tymondesigns on 25 Mar 2017
👍2 😄1

Could you pull in the latest and check that it fixes the problem for you please?

tymondesigns picture tymondesigns on 25 Mar 2017

@tymondesigns pulling it in now, I will report back soon.

isaackearl picture isaackearl on 25 Mar 2017
👍1

@tymondesigns Ya that seems to have fixed this. Thanks! I was really scratching my head trying to debug it.

isaackearl picture isaackearl on 25 Mar 2017

Awesome thank you for raising 馃憤

tymondesigns picture tymondesigns on 25 Mar 2017

@tymondesigns I may open another issue, but wanted to tell you here first. I think fixing that issue, causes another one.

I am now unable to use the refresh middleware to actually refresh the token (even during the refresh_ttl because it checks the blacklist. and I get the error about the token being on the blacklist. I'll see if I can find an easy fix and make a pull request however I'm not so sure taking a brief look, so you may have to handle it yourself. It would be a shame however if these 2 issues keep regressing back and forth, so it's a good idea to keep them both in mind.

isaackearl picture isaackearl on 25 Mar 2017

I had the same problem, but in this case in dev-develop branch.
It is was solved there also. :+1:
Thanks!

francisrod01 picture francisrod01 on 11 Apr 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Milos0110 picture Milos0110  路  49Comments
vsecades picture vsecades  路  26Comments
punnawat picture punnawat  路  30Comments
mcblum picture mcblum  路  48Comments
pereiracinthiag picture pereiracinthiag  路  32Comments