fix: concurrent session logout not invalidating JWT in first system

src/main/java/com/iemr/common/controller/users/IEMRAdminController.java

@@ -197,6 +197,15 @@
 				user.setUserName(mUser.get(0).getUserName());
 				logger.info("UserAgentUtil isMobile : " + isMobile);
 
+				// Store username → JTI mapping so concurrent-session logout can denylist this token
+				String accessJti = jwtUtil.getJtiFromToken(jwtToken);
+				redisTemplate.opsForValue().set(
+						"jti:" + m_User.getUserName().trim().toLowerCase(),
+						accessJti + "|" + mUser.get(0).getUserID(),
+						jwtUtil.getAccessTokenExpiration(),
+						TimeUnit.MILLISECONDS
+				);
+
 				if (isMobile) {
 					refreshToken = jwtUtil.generateRefreshToken(m_User.getUserName(), user.getUserID().toString());
 					logger.debug("Refresh token generated successfully for user: {}", user.getUserName());
@@ -211,7 +220,7 @@
 					cookieUtil.addJwtTokenToCookie(jwtToken, httpResponse, request);
 				}
 
 				String redisKey = "user_" + mUser.get(0).getUserID(); // Use user ID to create a unique key
 
 				// Store the user in Redis (set a TTL of 30 minutes)
 				redisTemplate.opsForValue().set(redisKey, user, 30, TimeUnit.MINUTES);
@@ -366,7 +375,7 @@
 
 	@Operation(summary = "Log out user from concurrent session")
 	@RequestMapping(value = "/logOutUserFromConcurrentSession", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON)
 	public String logOutUserFromConcurrentSession(
 			@Param(value = "\"{\\\"userName\\\":\\\"String\\\"}\"") @RequestBody LoginRequestModel m_User,
 			HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
@@ -387,6 +396,20 @@
 					if (previousTokenFromRedis != null) {
 						deleteSessionObjectByGettingSessionDetails(previousTokenFromRedis);
 						sessionObject.deleteSessionObject(previousTokenFromRedis);
+
+						// Denylist the active JWT so the first system's requests are immediately rejected
+						String usernameKey = mUsers.get(0).getUserName().trim().toLowerCase();
+						String jtiData = (String) redisTemplate.opsForValue().get("jti:" + usernameKey);
+						if (jtiData != null) {
+							String[] parts = jtiData.split("\\|", 2);
+							String jti = parts[0];
+							tokenDenylist.addTokenToDenylist(jti, jwtUtil.getAccessTokenExpiration());
+							if (parts.length > 1) {
+								redisTemplate.delete("user_" + parts[1]);
+							}
+							redisTemplate.delete("jti:" + usernameKey);
+						}
+
 						response.setResponse("User successfully logged out");
 					} else{
 						logger.error("Unable to fetch session from redis");
@@ -522,6 +545,15 @@
 				isMobile = UserAgentUtil.isMobileDevice(userAgent);
 				logger.info("UserAgentUtil isMobile : " + isMobile);
 
+				// Store username → JTI mapping so concurrent-session logout can denylist this token
+				String accessJti = jwtUtil.getJtiFromToken(jwtToken);
+				redisTemplate.opsForValue().set(
+						"jti:" + m_User.getUserName().trim().toLowerCase(),
+						accessJti + "|" + mUser.getUserID(),
+						jwtUtil.getAccessTokenExpiration(),
+						TimeUnit.MILLISECONDS
+				);
+
 				if (isMobile) {
 					refreshToken = jwtUtil.generateRefreshToken(m_User.getUserName(), user.getUserID().toString());
 					logger.debug("Refresh token generated successfully for user: {}", user.getUserName());

src/main/java/com/iemr/common/utils/JwtUtil.java

@@ -163,6 +163,10 @@ public long getRefreshTokenExpiration() {
         return REFRESH_EXPIRATION_TIME;
     }
 
+    public long getAccessTokenExpiration() {
+        return ACCESS_EXPIRATION_TIME;
+    }
+
     /**
  * Extract user ID from JWT token in the request (checks header and cookie)
  * @param request the HTTP request