search

jmprathab / MyHome

A Java application which helps people to manage their apartment.
Apache License 2.0
92 stars 103 forks source link

JWT token invalidation after password change #247

Open DDmit04 opened 3 years ago

DDmit04 commented 3 years ago

⚠️ Is your feature request related to a problem? Please describe

After user change password all login sessions (and JWT tokens) stay valid

💡 Describe the solution you'd like

Add an invalid token store (in Redis for example) which automatically delete tokens on expiration

🤚 Do you want to develop this feature yourself?

JanneSickert commented 3 years ago

I will try to fix that issure

Ikhiloya commented 1 year ago

I see that this is still open, I'd like to try it out.

Here's my solution approach:

  1. Create a Redis token store for tokens to be invalidated after a user has changed password.
  2. The token store will hold the token, issuedAt and expiry data.
  3. Once the user's password is changed, the token , issuedAt and expiry fields are stored. This will require decoding the token.
  4. A chron job would run in the background to delete tokens whose expiry is less than the current time from the Redis token store.
  5. The login workflow has to be modified to intercept and check for tokens for which the user has changed the password. That is, the doFilter() method of the JwtFilter should check the Redis token store for the request token and if it does, should return an authorized response. Of course, this will lead to an additional query for each request for a resource but performance will not be hampered since Redis has a fast search mechanism.
MargotRasamy commented 1 year ago

Hello ! I'd like to work on this with my friend @salamisodikiolawale for a school assignment. Could you assign it to me please ? and to my friend too if possible