Deleted user can still authenticate

[matveycodes]

Bug Description

1. Use register endpoint to create a new user with email test@example.com
2. Authenticate using auth endpoint
3. Store returned JWT as jwt1
4. Delete user using default WordPress functionality (Users -> test@example.com -> Delete)
5. Repeat steps 1, 2
6. Store returned JWT as jwt2

Since user IDs have changed, I expect the jwt1 to be marked as invalid. In fact, both tokens can be used to access protected endpoints.

Environment

Question	Answer
PHP version	7.4.3
WordPress version	5.8.2
Simple-JWT-Login plugin version	3.4.2

Other installed plugins (optional)

Additional Context (optional)

[dani3l3]

Well, I guess the token contains the email, and that is used as the security principal.... if the email is the same, the token still validates and has no awareness (nor it needs to have) of the user ID. I don't see this as a security concern, to be honest... let's see what the author thinks.

[matveycodes]

In my case, both id and email are in the JWT payload (corresponding checkboxes are checked in the JWT Payload parameters option in the Authentication section).

Probably there is no comparison between token fields and fields returned from the WordPress function that searches for a user by email.

[nicumicle]

I agree with @dani3l3. This is how this plugin works ( search a user by the payload).

I believe that, if you invalidate the JWT after you delete the user, will solve your issue.

This way, you can make sure that the JWT generated by this user, will not be valid to access the newly created user.

Also, you can set an expiration time, for the JWTs.

But, I would suggest you use the ID instead of the email.