fix(core): revoke active JWT tokens after logout

[Sourav-kashyap]

GH-2570

JWT Logout Security Fix

Problem Statement

Security Vulnerability: JWT Tokens Remain Valid After Logout

Issue: When a user logs out of the system, their JWT access token remains valid until its natural expiration time, allowing the token to be used for authenticated requests even after logout.

Impact: This creates a security vulnerability where:

1. Logged-out users retain access to protected APIs until their JWT naturally expires
2. Session invalidation through logout is ineffective
3. In case of security incidents, compromised tokens cannot be immediately revoked
4. Access token lifetime becomes the effective session lifetime, regardless of logout

Type of change

• Bug fix (non-breaking change which fixes an issue)

Checklist:

• Performed a self-review of my own code
• npm test passes on your machine

Build:

Test:

[sonarqubecloud]

SonarQube reviewer guide

Summary: Add token revocation checking to bearer token verification by introducing a utility function that validates tokens against a revoked token repository across both symmetric and asymmetric token verifiers.

Review Focus:

• The new checkIfTokenRevoked utility's error handling strategy—it silently logs repository errors rather than failing verification. Verify this graceful degradation approach is intentional and acceptable for security.
• Ensure the revocation check executes early enough in the verification flow to prevent unnecessary downstream processing.
• Confirm the RevokedTokenRepository.get() method efficiently handles token lookups.

Start review at: packages/core/src/components/bearer-verifier/providers/utils/revoked-token-checker.util.ts. This is the core security logic; understanding its error handling and performance characteristics is essential before reviewing its integration points.

💬 Please send your feedback

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[samarpan-b]

where are we revoking this token actually ?

[Sourav-kashyap]

sir the token is revoked using the existing RevokedTokenRepository

on logout (idp-login.service.ts) : token is stored via revokedTokensRepo.set()

on api request (services-bearer-asym-token-verifier.ts) : token is checked via checkIfTokenRevoked() which calls revokedTokenRepo.get(token) and throws TokenRevoked error if found

The same mechanism that the authentication service and facade services already use - we just added the same check to the service-level verifiers which were missing it.