Consider advising users to add this code to revoke the JWT on password reset

Question

Consider advising users to add this code to revoke the JWT on password reset

carsomyr opened this issue 2 years ago · 3 comments

Assuming a JTI revocation strategy and recoverable on a Devise'd User model, this is the code I added to revoke the JWT when the user resets their password:

  include ::Devise::JWT::RevocationStrategies::JTIMatcher

  # Overriding class methods mixed in by `recoverable`.
  def self.reset_password_by_token(attributes = {})
    user = super

    revoke_jwt(nil, user)

    user
  end

The above snippet addresses the scenario of a stolen token and the app's creators advising the user to reset their password. A major action such as this already invalidates the session's authenticatable_salt, and it follows that the JWT should also be revoked.

Answer 1 · 2023-04-17T04:02:05.000Z

Hi @carsomyr, did you try configuring revocation_requests?

Answer 2 · 2023-05-10T03:56:34.000Z

Hey @carsomyr, as posted above, did you try using the revocation_requests configuration to avoid the need to monkey-patch?

Answer 3 · 2023-10-18T04:21:51.000Z

I'll close this one as revocation_requests should be the clean way to do it.