Skip to content

SEC: JWT Tokens Not Invalidated on Logout — no revocation mechanism #187

Description

@vybe

Pentest Finding 3.3.4 — Low (CVSS 2.0)

Location: config.py, routers/auth.py

Impact

JWT tokens are valid for 7 days with no server-side revocation mechanism. If a session token is exfiltrated, it remains usable for the full 7-day period regardless of password changes or logout attempts. There is no logout endpoint in the API.

Root Cause

# config.py
ACCESS_TOKEN_EXPIRE_MINUTES = 10080  # 7 days (was 30 minutes)

No token blacklist, jti tracking, or refresh token pattern exists. grep for logout|blacklist|revoke|invalidate in routers/auth.py returns no results.

Remediation

  • Store token jti claims in Redis upon logout; verify against the blacklist on each request
  • Reduce ACCESS_TOKEN_EXPIRE_MINUTES to 60–480 minutes and implement refresh tokens
  • Add POST /api/auth/logout endpoint

References

Source: UnderDefense Web Pentest Report, March 2026

Metadata

Metadata

Assignees

Labels

complexity-mediumComplexity: medium (board points 5-8)pentestFrom penetration testing reportpriority-p2ImportantsecuritySecurity vulnerabilityseverity-lowLow severity security findingstatus-in-devMerged to dev, awaiting release cut to maintheme-securityTheme: Securitytype-bugBug fix

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions