I am currently trying to implement logout using a JSON Rodauth API. I was reading the rodauth JWT spec and saw this:
Logging the session out does not invalidate the previous JWT token by default. If you would like this behavior, you can use the active_sessions feature, which stores session identifiers in the database and deletes them when the session expires. This provides a whitelist approach of revoking JWT tokens.
Because of that, I have added an after_logout hook that does exactly that:
class RodauthMain < Rodauth::Rails::Auth
def merge_account
account = Account.find(account_id)
json_response.merge!(account: AccountResource.new(account).serializable_hash)
end
configure do
# List of authentication features that are loaded.
enable :create_account, :verify_account, :verify_account_grace_period,
:login, :logout, :json,
:reset_password, :change_password, :change_password_notify,
:change_login, :verify_login_change, :close_account, :jwt_refresh, :jwt, :active_sessions
# ...other rodauth settings
after_logout do
remove_active_session(@jwt_payload['active_session_id'])
end
end
end
Unfortunately, I am still able to make requests using that JWT token even after logging out. When I make a request to logout, I see this response:
Started POST "/logout" for 127.0.0.1 at 2024-08-20 15:50:10 +0000
Processing by RodauthApp#call as */*
TRANSACTION (0.6ms) BEGIN
↳ app/misc/rodauth_app.rb:15:in `block in <class:RodauthApp>'
Sequel (0.9ms) DELETE FROM "account_active_session_keys" WHERE (("account_id" = 'c16bc0fd-a84b-4377-b99f-33a46e9258e2') AND ("session_id" IN ('uOlEpCLGp7rjeLSCciWealU-5PH6ylZq9oCE8-llh6c')))
↳ app/misc/rodauth_app.rb:15:in `block in <class:RodauthApp>'
Sequel (0.9ms) DELETE FROM "account_active_session_keys" WHERE (("account_id" IS NULL) AND ("session_id" = 'CqWSpjHq7hhfjFlxFoeQtzOp7YuPTDEO0DdngsA7JU0'))
↳ app/misc/rodauth_main.rb:162:in `block (2 levels) in <class:RodauthMain>'
TRANSACTION (1.2ms) COMMIT
↳ app/misc/rodauth_app.rb:15:in `block in <class:RodauthApp>'
Completed 200 OK in 37ms (ActiveRecord: 3.5ms (2 queries, 0 cached) | GC: 0.7ms)
I am currently trying to implement logout using a JSON Rodauth API. I was reading the rodauth JWT spec and saw this:
Because of that, I have added an
after_logout
hook that does exactly that:Unfortunately, I am still able to make requests using that JWT token even after logging out. When I make a request to logout, I see this response: