Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Calling logout should revoke/blacklist a JWT #133

Closed
ekryski opened this Issue Mar 26, 2016 · 3 comments

Comments

Projects
None yet
2 participants
@ekryski
Copy link
Member

ekryski commented Mar 26, 2016

This is dependent on #73.

@beeplin

This comment has been minimized.

Copy link

beeplin commented Mar 27, 2016

@ekryski , I just found that even after calling app.logout(), the client can still fetch data from server which are supposed to be restricted to authenticated. this might be the same issue you mentioned here?

@ekryski

This comment has been minimized.

Copy link
Member Author

ekryski commented Mar 27, 2016

@beeplin that one is related to #122. We remove the token from localStorage but the token is still hanging around in the cookie. I've fixed that in the v0.6.1 branch and should be merging that tonight/tomorrow.

This issue will take that further and make sure that token can never be used again by anyone.

@ekryski ekryski added the Backlog label May 21, 2016

@ekryski

This comment has been minimized.

Copy link
Member Author

ekryski commented Jun 19, 2016

So I did a bit of digging and reading this weekend and I don't think this is really an issue if we keep the TTL's of tokens really short and implement a refresh token mechanism. I'm going to close this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.