Access token is not invalidated after logout

[markvital]

It looks like a user is able to access resources that need authentication even after access/refresh tokens are removed (logout event)

To reproduce:

• Create new user using POST /auth/register API endpoint
• newly access and refresh tokens should be generated, copy them somewhere
• Set user role to admin in database
• Now user should be able to access GET /users endpoint using earlier generated access token
• logout using POST /auth/logout passing earlier generated refresh token in the body or alternatively delete all tokens in the database
• The user is still able to access GET /users endpoint using earlier generated access token

I assume after user logout, access token associated with current refresh token should become invalid, correct?

[markvital]

Found this on auth0 website:

Access tokens cannot be invalidated: they are designed to be self contained, not requiring a check with Auth0 to validate, so there is no way to invalidate them.

For this reason, access tokens should have a short lifetime.

So it looks like access token should not be invalidated after logout, only refresh token

[jleei]

You can add a field to the user table that restricts access tokens. Then check this field in the passport's config, if true, restrict the user to use the access token