feathers-authentication-management icon indicating copy to clipboard operation
feathers-authentication-management copied to clipboard

Published 20 hours ago verified publisher icon feathersjs-ecosystem

[FR] Support revocation date

Open FossPrime opened this issue 2 years ago • 5 comments

Having a revokedAt field would allows to cheaply invalidate existing JWT tokens.

Steps to reproduce

  1. Have your session cookies compromised, Like LTT recently did
  2. Change your password

Expected behavior

Attacker should not be able to log in.

Actual behavior

JWT cookie will still be valid. So would the socketio reconnection key. Allowing the attacker to login to your account, despite having changed your password.

Context

I use SAML where cascading logouts are a core feature. You should be able to logout once, and have all your SAML apps be disconnected remotely.

FossPrime avatar Apr 27 '23 13:04 FossPrime