fix(auth): restore TokenBlacklist check on backend auth middleware (#3556)#2053
fix(auth): restore TokenBlacklist check on backend auth middleware (#3556)#2053broskell wants to merge 1 commit into
Conversation
|
Thank you @, for creating the PR and contributing to our UltimateHealth project 💗. |
❌ PR Validation FailedThis PR was marked as To resolve this, please ensure your PR description links an issue (e.g., |
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 32824436 | Triggered | Generic Password | e1afe37 | backend/bruno/Ultimate Health/User/Verify forgot password.yml | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
7b93c9e to
e1afe37
Compare
Description
Fixes #3556
This PR ports the backend codebase into the
UltimateHealthrepository and restores the functionalBlacklistedTokensession revocation flow. It resolves an issue where access tokens were not blacklisted upon user logout, allowing them to remain valid.Details of Changes
Schema Fix (
backend/models/blackListedToken.js):tokenfield to theblacklistedTokenSchemadefinition so that Mongoose does not strip the property before database writes.tokenwithunique: true,index: true, andsparse: trueconstraints.Database Service (
backend/services/db/dbTokenService.js):blackListToken(token)to verify or decode the JWT usingjsonwebtokento extract thejtiandexpiresAtvalues.required: true) and successfully persist in MongoDB.Logout Controller (
backend/controllers/usersControllers.js):accessTokenfrom cookies orAuthorizationheader during user logout and passed it toblackListToken(accessToken).Middleware Optimization (
backend/middleware):.lean()to theBlacklistedToken.findOnechecks inside bothauthentcatetoken.jsandadminAuthenticateToken.jsto skip document hydration and improve API performance.Verification & Deployment Considerations
BlacklistedTokencollection structure is fully backwards compatible. No migrations or data transitions are required..lean().