victorsteven / jwt-best-practices Goto Github PK

Consider the scenario:

• Attacker obtains a refresh token
• After an access token expires, attacker uses the refresh token to issue new access and refresh tokens (user still has the old one)
• User's client tries to obtain a new access token by presenting its own refresh token and it fails
• The stolen token cannot be revoked

Possible solutions:

• Delete the refresh token by user id during login
  This way all refresh tokens that belong to a user are invalidated

Scenario:

• Attacker obtains a refresh token and issues a new access and refresh token (rotated and a user still has the old one)
• User's client tries to obtain a new access token by presenting an invalid refresh token - it fails because user's token does not exist in a data store
• User tries to login, invalidates all existing refresh tokens (including attacker's refresh token), and creates a new pair of tokens.

P.S. Also, as far as I see, logout should be possible only if the user has a valid access token. Maybe, the better solution would be to require refresh token to perform logout. Why? Because why unnecessarily generate a new access token just to logout. If the refresh token is valid, we revoke tokens. If not, nothing to care about if we ensure that an access token lifespan is shorter than a lifespan of a refresh token (both expired).

I really liked your article, and this code,but for me to use it at my company, I really need an MIT license or similar.
Please consider adding an MIT license.
Thanks for publishing the article.

Reviewing the code and the article, it seems the commited code is missing some pieces that are shown in the article:

• TokenValid() is defined but not called/referenced
• TokenAuthMiddleware() is not defined or used in the repo, but is used in the article.

Maybe you want to add the code in the article to the repo?