Pentest Finding 3.3.4 — Low (CVSS 2.0)
Location: config.py, routers/auth.py
Impact
JWT tokens are valid for 7 days with no server-side revocation mechanism. If a session token is exfiltrated, it remains usable for the full 7-day period regardless of password changes or logout attempts. There is no logout endpoint in the API.
Root Cause
# config.py
ACCESS_TOKEN_EXPIRE_MINUTES = 10080 # 7 days (was 30 minutes)
No token blacklist, jti tracking, or refresh token pattern exists. grep for logout|blacklist|revoke|invalidate in routers/auth.py returns no results.
Remediation
- Store token
jti claims in Redis upon logout; verify against the blacklist on each request
- Reduce
ACCESS_TOKEN_EXPIRE_MINUTES to 60–480 minutes and implement refresh tokens
- Add
POST /api/auth/logout endpoint
References
Source: UnderDefense Web Pentest Report, March 2026
Pentest Finding 3.3.4 — Low (CVSS 2.0)
Location:
config.py,routers/auth.pyImpact
JWT tokens are valid for 7 days with no server-side revocation mechanism. If a session token is exfiltrated, it remains usable for the full 7-day period regardless of password changes or logout attempts. There is no logout endpoint in the API.
Root Cause
No token blacklist,
jtitracking, or refresh token pattern exists.grepforlogout|blacklist|revoke|invalidateinrouters/auth.pyreturns no results.Remediation
jticlaims in Redis upon logout; verify against the blacklist on each requestACCESS_TOKEN_EXPIRE_MINUTESto 60–480 minutes and implement refresh tokensPOST /api/auth/logoutendpointReferences
Source: UnderDefense Web Pentest Report, March 2026