Open MariusJulius opened 8 months ago
There's no good way to handle this without introducing SSR for frontend application and hiding JWT from the user browser so that user couldn't access it. It won't solve the exact issue since access token JWT can still be used before it's expiry date even if session has been destroyed (during logout). https://stackoverflow.com/questions/31919067/how-can-i-revoke-a-jwt-token
To mitigate this kind of attack vector we can decrease lifespan of the access token to lesser value
Discussions agreements in Teams chat. Needs both BE (~20h) and FE work (needs FE task)
PID: 10 Short description: JWT tokens should be revoked on the server after logout Full overview in test report.