Implement logout endpoint
opeolluwa opened this issue · 13 comments
STEP 01
Create a new database table access_tokens and corresponding migration using sqlx.
The table will contain the following fields
- id - a UUID
- token - a text field to store JWT's
- is_blacklisted - a boolean stating if a JWT is blacklisted.
STEP 02
alter the generate_token function defined here to store tokens created to access_tokens table as explained in STEP 01 above
STEP 03
Implement the logout handler defined here
The handler will retrieve a token from the HTTP request header, find the record that has the token in the database and set the is_blacklisted field of the record to true.
STEP 04
extend the token validation implemented here
To restrict access for all blacklisted tokwns
STEP 05
Mount the logout endpoint to /logout path in the router
This looks pretty straightforward, i can give it a go
Hi @derekleverenz! Thanks for checking the project out 💖
I will be more than pleased to have you look into it.
I'm also open to suggestions, as to how to approach the problem.
Thanks!
I havent done much with JWT before so I did some research. It seems one of the big benefits of JWT is that you dont need to store the token in the database because it is generated & verified cryptographically, so one option is to not implement a logout at all and let clients choose to logout by just forgetting/discarding their token, since i dont think the backend is otherwise maintaining any session.
But, if you want to implement it, I think the approach you outlined makes sense, but storing the id in the table isnt necessary since it is already used when generating the token, but since we would have to look up by token to see if they are blacklisted maybe we should add an index to the table on the token field.
Also I think modifying generate_token to persist it to the database will make it tricky to unit test that, so maybe that could stay as-is and then we instead add another function or a wrapper function that would persist it. I noticed that the login function also doesnt actually call generate_token, so that will need to be updated too. I can do that if you want it
e: actually, I read a bit more and talked to some people, one way this is done is to store a token when someone logs out, instead of storing it when generating it, so any tokens in the table are revoked. What do you think of that?
thank you so much for the review,
I woulda loved to skip the logout endpoint but, the problem is that a user might be impersonated once an attacker has access to the Jwt.
One way out of this could be to implement both client and server logout strategies.
Again, I'm open to review on this.
Regards the generate_token function not being implemented for the login endpoint, you could fix that up whiles we wrap up the best way to resolve the logout endpoint.
Thank you! @derekleverenz! I appreciate you, taking time to contribute and discuss this ❤️
Hi @derekleverenz
Any updates
hey @opeolluwa, been busy but i can mke a PR tomorrow
hey @opeolluwa, been busy but i can mke a PR tomorrow
Thanks a lot 💯
I appreciate you carving out time to contribute to this.
I made a draft PR (#168) noted some questions on there. Mainly i need to test it and resolve the merge conflicts, i will get to that tomorrow, but also would appreciate your feedback and any changes you want to see
@derekleverenz thank you so much ❤️
Thanks for taking your time to review, ask for clarification and fixing the issue. Let's do this again some time.
I would love to connect with you on Twitter. Do you mind?
Sure, i dont mind. I dont use twitter much anymore since they shut downt he 3rd party api so I cant use tweetbot, but im https://twitter.com/coaxmetal
Sure, i dont mind. I dont use twitter much anymore since they shut downt he 3rd party api so I cant use tweetbot, but im https://twitter.com/coaxmetal
Oops! I'm So sorry to hear that.
I was even even hoping to tweet a thanks. I appreciate you efforts
fixed!
@opeolluwa no worries you are welcome to mention me, I still check it occasionally just dont use it much now. thanks!