Possible bug in JSON web token expirations

[scottinet]

To be investigated:

Hi Sebastien,

I'm a researcher at Clemson University and we are looking at Kuzzle as a 
backend for environmental data collection and we are encountering some 
issues with JWTs disappearing from the Redis cache before the expiration 
date (within an hour or less). 

I'm using the master branch on commit 8fc25bf1f118352afd52c0d91444ef3f4471664a. 
For testing we are pre-generating the JWT with a generic user we created that 
has write access to the specific index and collection we are using with an expiration 
in the future. We are able to add data to the collection but at some point the tokens 
disappear from Redis. 

I've confirmed that the Redis entries contain the proper expiresAt and ttl entries, 
yet they disappear within a short timeframe. 
I noticed that the same thing occurs when I sign in via Kuzzle Backend, the JWT 
entry shows a 4 hour expiration, but I have to log in again much sooner than that. 
Any ideas as to what me be happening would be appreciated.

Follow-up:

I experimented a bit more last night with this. I think it was a coincidence that the first login 
token was removed before I tried logging in again. I did observe several successful 
simultaneous logins. However, this morning they were all gone from Redis. Also, is it normal 
to get two entries in redis upon for each login? They have the formats below:

repos/%kuzzle/token/<username>#<jwt>
repos/%kuzzle/token<jwt>

[scottinet]

I've finished analyzing this issue, and I found multiple problems:

• there are indeed 2 keys generated in Redis: this is normal, they have 2 different purposes. But this introduces unnecessary complexity and I'm pretty sure that we can keep only one of these 2 keys
• the auth:logout API route expires only one of the 2 keys, leaving useless keys in redis
• due to a typo, one of the 2 keys has a much, much shorter TTL in redis, forcing kuzzle to invalidate both keys much sooner than the configured expiration time

Expect a fix in the next few days. Kuzzle 1.2.11 will be released soon after that, as there are a few critical bugfixes to be released

[scottinet]

Fix: https://github.com/kuzzleio/kuzzle/pull/1086

Kuzzle 1.2.11 will be released this week.