search

waiting-for-dev / devise-jwt

JWT token authentication with devise and rails
MIT License
1.25k stars 129 forks source link

Consider advising users to add this code to revoke the JWT on password reset #262

Closed carsomyr closed 11 months ago

carsomyr commented 1 year ago

Assuming a JTI revocation strategy and recoverable on a Devise'd User model, this is the code I added to revoke the JWT when the user resets their password:

  include ::Devise::JWT::RevocationStrategies::JTIMatcher

  # Overriding class methods mixed in by `recoverable`.
  def self.reset_password_by_token(attributes = {})
    user = super

    revoke_jwt(nil, user)

    user
  end

The above snippet addresses the scenario of a stolen token and the app's creators advising the user to reset their password. A major action such as this already invalidates the session's authenticatable_salt, and it follows that the JWT should also be revoked.

waiting-for-dev commented 1 year ago

Hi @carsomyr, did you try configuring revocation_requests?

waiting-for-dev commented 1 year ago

Hey @carsomyr, as posted above, did you try using the revocation_requests configuration to avoid the need to monkey-patch?

waiting-for-dev commented 11 months ago

I'll close this one as revocation_requests should be the clean way to do it.