Issue Template: Insecure Session Invalidation via Redis JWT Blocklist

[Aryan0819]

Severity: Security / Performance

Component: apps/backend (Auth System)

Problem: Currently, the system handles user authentication via JWT tokens using @fastify/jwt. However, there is no active server-side mechanism to invalidate tokens upon logout. If a user logs out, their JWT remains cryptographically valid until its expiration time (exp). An attacker who intercepts this token can continue to make unauthorized API requests even after the legitimate user has clicked "Logout".

Proposed Solution: Implement a secure token revocation layer using the existing Redis infrastructure (redisPlugin).

Create a DELETE /auth/logout endpoint protected by the authenticate preHandler hook.

Upon logout, extract the JWT token signature from the request headers, calculate its remaining lifetime (TTL) based on its expiration timestamp, and store it in Redis with a key like blocklist:token:.

Intercept requests in the global app.decorate('authenticate') middleware hook inside app.ts to check if the incoming token exists in the Redis blocklist. If it does, throw an immediate 401 Unauthorized exception.

Please assign under gssoc 2026

[Harxhit]

@Aryan0819 I’ve assigned this issue to you. Please add the implementation to handle this case for Firebase Auth logins as well. Ensure the solution properly covers Firebase authentication flows and maintains consistency with the existing authentication logic. Let me know if you need any clarification while working on it.

[github-actions]

Hey @ShantKhatri (Project Admin) and @Harxhit (Maintainer),

This issue (previously assigned to @Aryan0819) has been automatically unassigned because no linked pull request was found after the scheduled check.

If work is in progress, please open a PR and link it to this issue to keep the assignment.

[antharya05]

Hi @Harxhit, I’d like to work on this issue under GSSoC 2026.

I reviewed the current auth flow and Redis integration. My planned implementation approach is:

• Add a protected DELETE /auth/logout endpoint

• Extract and revoke JWTs by storing them in Redis with TTL equal to remaining token lifetime

• Extend the global authenticate middleware to reject blocklisted tokens before jwtVerify()

• Ensure the flow also supports Firebase-authenticated sessions as requested

• Add tests covering:

  • successful logout
  • revoked token access attempts
  • Redis TTL behavior
  • Firebase auth compatibility

Please assign this issue to me if it’s available. Thanks!

[Pcmhacker-piro]

Hi @Harxhit ,

I’d be excited to work on this issue and contribute to the project. I have prior open-source contribution experience and am confident in implementing the required changes effectively.

[Harxhit]

@antharya05 I have assigned this issue to you.