Verify don't check tokens invalidated with GlobalSignOut

Question

Verify don't check tokens invalidated with GlobalSignOut

Closed this issue 4 months ago · 3 comments

almeidapaulooliveira commented 4 months ago

After sign out the user by going into the Cognito panel and globally signing out (GlobalSignOut), the verification should fail. However, the verification check passed instead.

Version

I'm using Node.js 18 with TypeScript on the server.

Steps to Reproduce

Log in to Cognito and retrieve a token.
Validate the token (successful validation).
Go to the AWS Cognito console and globally sign out the user (Action / Sign out user).
Verify the token again.
The verification does not fail as expected.

Answer 1 · 2024-08-22T19:28:01.000Z

More info

This is a snippet of the code I'm using to properly verify the token. I'm using the cognitoVerifier only to check the token's integrity, but I'm making an additional call to the Cognito API to validate the token.

private async verifyToken(token: string): Promise<{ sub: string }> {
	try {
		const result = await this.cognitoVerifier.verify(token);  

		// Call Cognito's GetUser API to verify the token
		const command = new GetUserCommand({ AccessToken: token });
		await this.cognitoClient.send(command);

		return result;
	} catch (e) {
		this.logger.log('Error verifying token', e);
		throw new UnauthorizedException();
	}
}

In this case, GetUserCommand throws NotAuthorizedException: Access Token has been revoked, correctly.

Answer 2 · 2024-08-22T20:19:06.000Z

Hi @almeidapaulooliveira

Please read the comment in #151 which explains why we consider this to work as it should, and share any new insights.

Thank you for the code sample, that may help other users in scenarios where this additional check is warranted.

Answer 3 · 2024-08-22T20:33:36.000Z

Thank you, Otto. It's clear now. Great explanation about different JWT approaches, by the way.