search

maxgalbu / adonis5-jwt

JWT Authentication service for Adonisjs v5
MIT License
86 stars 15 forks source link

Logout isn't working #3

Closed DavidMoura07 closed 2 years ago

DavidMoura07 commented 2 years ago

Hi, thanks for develop this feature, I really needed this, unfortunately logout isn't working for me, my code is basically the same as your docs, but my token are not been removed from database after revoke method

  public async logout({ auth }: HttpContextContract) {
    await auth.use('jwt').revoke()
    return {
      revoked: true,
    }
  }

After run the method above, I still can use the same token and nothing changes on jwt_tokens table. Can you check if is any problem with revoke() method?

My config file is like this:

const authConfig: AuthConfig = {
  guard: 'jwt',
  guards: {
    api: {
      driver: 'oat',
      tokenProvider: {
        type: 'api',
        driver: 'redis',
        redisConnection: 'local',
        foreignKey: 'user_id',
      },
      provider: {
        driver: 'lucid',
        identifierKey: 'id',
        uids: ['email'],
        model: () => import('App/Models/User'),
      },
    },
    jwt: {
      driver: 'jwt',
      publicKey: Env.get('JWT_PUBLIC_KEY', '').replace(/\\n/g, '\n'),
      privateKey: Env.get('JWT_PRIVATE_KEY', '').replace(/\\n/g, '\n'),
      tokenProvider: {
        type: 'jwt',
        driver: 'database',
        table: 'jwt_tokens',
        foreignKey: 'user_id',
        refreshTokenKey: 'refresh_token',
        // redisConnection: 'local',
      },
      provider: {
        driver: 'lucid',
        identifierKey: 'id',
        uids: ['email'],
        model: () => import('App/Models/User'),
      },
    },
  },
}

And my contract is:

declare module '@ioc:Adonis/Addons/Auth' {
  interface ProvidersList {
    user: {
      implementation: LucidProviderContract<typeof User>
      config: LucidProviderConfig<typeof User>
    }
  }

  interface GuardsList {
    api: {
      implementation: OATGuardContract<'user', 'api'>
      config: OATGuardConfig<'user'>
    }
    jwt: {
      implementation: JWTGuardContract<'user', 'jwt'>
      config: JWTGuardConfig<'user'>
    }
  }
}
maxgalbu commented 2 years ago

I've made a lot of changes in 825566a6a0b441841205370562f5c3bef3023df2 and release v1.1.0 on npm, some of which fixes logout/revocation.

Could you please test again? To do so, you should rollback the old migration of jwt_tokens and rerun node ace configure adonis5-jwt

maxgalbu commented 2 years ago

Also, with the latest changes, you can now decide whether you want to persist JWT in db (so that logout invalidates the JWT and refresh token), or not persist JWT (logout deletes the refresh token, but does nothing on the JWT which is still valid until it expires).

The latter is the recommended and default behavior with JWTs: in short, you should create a JWT with a reasonably short expire time, then use refresh token to generate a new one, see some of these answers:

In short, if you don't store JWT in DB then yes, the JWT will continue to be valid until it expires.

maxgalbu commented 2 years ago

Please reopen if issue is still present