search

janko / rodauth-rails

Rails integration for Rodauth authentication framework
https://github.com/jeremyevans/rodauth
MIT License
584 stars 40 forks source link

Active Sessions not revoking JWT #313

Closed mdodell closed 3 weeks ago

mdodell commented 3 weeks ago

I am currently trying to implement logout using a JSON Rodauth API. I was reading the rodauth JWT spec and saw this:

Logging the session out does not invalidate the previous JWT token by default. If you would like this behavior, you can use the active_sessions feature, which stores session identifiers in the database and deletes them when the session expires. This provides a whitelist approach of revoking JWT tokens.

Because of that, I have added an after_logout hook that does exactly that:

class RodauthMain < Rodauth::Rails::Auth
  def merge_account
    account = Account.find(account_id)
    json_response.merge!(account: AccountResource.new(account).serializable_hash)
  end

  configure do
    # List of authentication features that are loaded.
    enable :create_account, :verify_account, :verify_account_grace_period,
           :login, :logout, :json,
           :reset_password, :change_password, :change_password_notify,
           :change_login, :verify_login_change, :close_account, :jwt_refresh, :jwt, :active_sessions

  # ...other rodauth settings
    after_logout do
      remove_active_session(@jwt_payload['active_session_id'])
    end

  end
end

Unfortunately, I am still able to make requests using that JWT token even after logging out. When I make a request to logout, I see this response:

Started POST "/logout" for 127.0.0.1 at 2024-08-20 15:50:10 +0000
Processing by RodauthApp#call as */*
  TRANSACTION (0.6ms)  BEGIN
  ↳ app/misc/rodauth_app.rb:15:in `block in <class:RodauthApp>'
  Sequel (0.9ms)  DELETE FROM "account_active_session_keys" WHERE (("account_id" = 'c16bc0fd-a84b-4377-b99f-33a46e9258e2') AND ("session_id" IN ('uOlEpCLGp7rjeLSCciWealU-5PH6ylZq9oCE8-llh6c')))
  ↳ app/misc/rodauth_app.rb:15:in `block in <class:RodauthApp>'
  Sequel (0.9ms)  DELETE FROM "account_active_session_keys" WHERE (("account_id" IS NULL) AND ("session_id" = 'CqWSpjHq7hhfjFlxFoeQtzOp7YuPTDEO0DdngsA7JU0'))
  ↳ app/misc/rodauth_main.rb:162:in `block (2 levels) in <class:RodauthMain>'
  TRANSACTION (1.2ms)  COMMIT
  ↳ app/misc/rodauth_app.rb:15:in `block in <class:RodauthApp>'
Completed 200 OK in 37ms (ActiveRecord: 3.5ms (2 queries, 0 cached) | GC: 0.7ms)
mdodell commented 3 weeks ago

Closing this in favor of a discussion.