Skip to content

fix(auth): restore TokenBlacklist check on backend auth middleware (#3556)#2053

Open
broskell wants to merge 1 commit into
SB2318:mainfrom
broskell:fix/3556-auth-middleware-blacklist
Open

fix(auth): restore TokenBlacklist check on backend auth middleware (#3556)#2053
broskell wants to merge 1 commit into
SB2318:mainfrom
broskell:fix/3556-auth-middleware-blacklist

Conversation

@broskell

@broskell broskell commented Jul 3, 2026

Copy link
Copy Markdown

Description

Fixes #3556

This PR ports the backend codebase into the UltimateHealth repository and restores the functional BlacklistedToken session revocation flow. It resolves an issue where access tokens were not blacklisted upon user logout, allowing them to remain valid.

Details of Changes

  1. Schema Fix (backend/models/blackListedToken.js):

    • Added the token field to the blacklistedTokenSchema definition so that Mongoose does not strip the property before database writes.
    • Configured token with unique: true, index: true, and sparse: true constraints.
  2. Database Service (backend/services/db/dbTokenService.js):

    • Updated blackListToken(token) to verify or decode the JWT using jsonwebtoken to extract the jti and expiresAt values.
    • This ensures that the documents meet the schema's validation constraints (required: true) and successfully persist in MongoDB.
  3. Logout Controller (backend/controllers/usersControllers.js):

    • Retrieved the active accessToken from cookies or Authorization header during user logout and passed it to blackListToken(accessToken).
  4. Middleware Optimization (backend/middleware):

    • Appended .lean() to the BlacklistedToken.findOne checks inside both authentcatetoken.js and adminAuthenticateToken.js to skip document hydration and improve API performance.

Verification & Deployment Considerations

  • No Schema Migrations: The BlacklistedToken collection structure is fully backwards compatible. No migrations or data transitions are required.
  • Uncompromised Session Invalidation: Access tokens are now cleanly revoked immediately upon logout, and any subsequent queries are optimized with .lean().

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Thank you @, for creating the PR and contributing to our UltimateHealth project 💗.
Our team will review the PR and will reach out to you soon! 😇
Make sure that you have marked all the tasks that you are done with ✅.
Thank you for your patience! 😀

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

❌ PR Validation Failed

This PR was marked as gssoc:invalid because: You are not the author or an assignee of the linked issue(s).

To resolve this, please ensure your PR description links an issue (e.g., Fixes #123) and that you are either the creator or an assignee of that issue.

@gitguardian

gitguardian Bot commented Jul 3, 2026

Copy link
Copy Markdown

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

Since your pull request originates from a forked repository, GitGuardian is not able to associate the secrets uncovered with secret incidents on your GitGuardian dashboard.
Skipping this check run and merging your pull request will create secret incidents on your GitGuardian dashboard.

🔎 Detected hardcoded secret in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
32824436 Triggered Generic Password e1afe37 backend/bruno/Ultimate Health/User/Verify forgot password.yml View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secret safely. Learn here the best practices.
  3. Revoke and rotate this secret.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@broskell broskell force-pushed the fix/3556-auth-middleware-blacklist branch from 7b93c9e to e1afe37 Compare July 3, 2026 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant