logout api only invalidate the refresh token, but the auth token is still valid until it expires

hagopj13 / node-express-boilerplate

A boilerplate for building production-ready RESTful APIs using Node.js, Express, and Mongoose

MIT License

7k stars 2.05k forks source link

logout api only invalidate the refresh token, but the auth token is still valid until it expires #267

Open Bacce opened 1 year ago

Bacce commented 1 year ago

logout endpoint was implemented here: https://github.com/hagopj13/node-express-boilerplate/issues/19

aliasgar55 commented 1 year ago

That should be a expected behavior and hence we keep the expire time of access token low If your application requires a more strict logout policy, maybe you can add a memory database which can track the user logouts, and every time you check the access token you also check if the user has logged out, and if the user has logged out you can return a 401 error to the user You will probably also need to add some more fields to the JWT token to make this work

imuhammadarsalan commented 1 year ago

Ive tested the api logout but i think it is not working , Ive login as admin and after logout i can access /users endpoint which is not good !! please take a look at this bug..

Thanks. Muhammad.