logout api only invalidate the refresh token, but the auth token is still valid until it expires

hagopj13 / node-express-boilerplate

A boilerplate for building production-ready RESTful APIs using Node.js, Express, and Mongoose

MIT License

6.66k stars 1.98k forks source link

logout api only invalidate the refresh token, but the auth token is still valid until it expires #267

Open Bacce opened 10 months ago

Bacce commented 10 months ago

logout endpoint was implemented here: https://github.com/hagopj13/node-express-boilerplate/issues/19

aliasgar55 commented 9 months ago

That should be a expected behavior and hence we keep the expire time of access token low If your application requires a more strict logout policy, maybe you can add a memory database which can track the user logouts, and every time you check the access token you also check if the user has logged out, and if the user has logged out you can return a 401 error to the user You will probably also need to add some more fields to the JWT token to make this work

imuhammadarsalan commented 9 months ago

Ive tested the api logout but i think it is not working , Ive login as admin and after logout i can access /users endpoint which is not good !! please take a look at this bug..

Thanks. Muhammad.