console icon indicating copy to clipboard operation
console copied to clipboard
verified publisher icon minio

invalidate web UI tokens after logout

Open aead opened this issue 1 year ago • 0 comments

Expected Behavior

After logging in using access credentials, the user is able to perform an explicit log-out. This should invalidate the JWT token such that no other API operations are possible.

Current Behavior

After logout the user can still perform arbitrary API operations using its token. Hence, the token is not invalidated.

Possible Solution

Console should issue a delete for the session token to MinIO when the user logs out.

Steps to Reproduce (for bugs)

  1. Login to the web UI
  2. Copy the JWT token - e.g. via the developer console
  3. Issue a curl request (e.g. S3 GET) using the token

Context

Security

aead avatar Jan 13 '25 11:01 aead