Skip to content
This repository has been archived by the owner on Mar 22, 2022. It is now read-only.

Calling logout should revoke/blacklist a JWT #133

Closed
ekryski opened this issue Mar 26, 2016 · 3 comments
Closed

Calling logout should revoke/blacklist a JWT #133

ekryski opened this issue Mar 26, 2016 · 3 comments
Milestone

Comments

@ekryski
Copy link
Member

ekryski commented Mar 26, 2016

This is dependent on https://github.com/feathersjs/feathers-authentication/issues/73.

@beeplin
Copy link

beeplin commented Mar 27, 2016

@ekryski , I just found that even after calling app.logout(), the client can still fetch data from server which are supposed to be restricted to authenticated. this might be the same issue you mentioned here?

@ekryski
Copy link
Member Author

ekryski commented Mar 27, 2016

@beeplin that one is related to #122. We remove the token from localStorage but the token is still hanging around in the cookie. I've fixed that in the v0.6.1 branch and should be merging that tonight/tomorrow.

This issue will take that further and make sure that token can never be used again by anyone.

@ekryski
Copy link
Member Author

ekryski commented Jun 19, 2016

So I did a bit of digging and reading this weekend and I don't think this is really an issue if we keep the TTL's of tokens really short and implement a refresh token mechanism. I'm going to close this.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants