JWT Token code now handles multiple logins from one user

Author: JonPSmith

AuthPermissions.AspNetCore/Services/DisableJwtRefreshToken.cs

@@ -10,7 +10,8 @@
 namespace AuthPermissions.AspNetCore.Services
 {
     /// <summary>
-    /// This service allows you to mark the Jwt Refresh Token as 'used' so that the JWT token cannot be refreshed
+    /// This service allows you to mark the Jwt Refresh Token as 'used' so that the JWT token cannot be refreshed.
+    /// There are two methods: one to allow a user to logout and another to allow a admin person log out all logins of a specific user. 
     /// </summary>
     public class DisableJwtRefreshToken : IDisableJwtRefreshToken
     {
@@ -26,16 +27,16 @@ public DisableJwtRefreshToken(AuthPermissionsDbContext context)
         }
 
         /// <summary>
-        /// This will mark the latest, valid RefreshToken as invalid.
-        /// Call this a) when a user logs out, or b) you want to log out an active user when the JTW times out
+        /// This allows a user to logout. The effect is that when the JWT Token expires
+        /// you cannot refresh the JWT Token because the refresh token is invalid.
+        /// If the user has multiple logins, this only logs out the login using the given refresh token.
         /// </summary>
-        /// <param name="userId"></param>
-        public async Task MarkJwtRefreshTokenAsUsedAsync(string userId)
+        /// <param name="refreshToken"></param>
+        /// <returns></returns>
+        public async Task LogoutUserViaRefreshTokenAsync(string refreshToken)
         {
             var latestValidRefreshToken = await _context.RefreshTokens
-                .Where(x => x.UserId == userId && !x.IsInvalid)
-                .OrderByDescending(x => x.AddedDateUtc)
-                .FirstOrDefaultAsync();
+                .SingleOrDefaultAsync(x => x.TokenValue == refreshToken);
 
             if (latestValidRefreshToken != null)
             {
@@ -44,5 +45,22 @@ public async Task MarkJwtRefreshTokenAsUsedAsync(string userId)
                 status.IfErrorsTurnToException();
             }
         }
+
+        /// <summary>
+        /// This will mark all the refresh tokens linked to this userid will be marked as invalid,
+        /// which means the user cannot refresh the JWT Token. If the user has multiple logins,
+        /// then all the users logins will marked as a invalid. 
+        /// </summary>
+        /// <param name="userId"></param>
+        public async Task LogoutUserViaUserIdAsync(string userId)
+        {
+            var latestValidRefreshTokens = await _context.RefreshTokens
+                .Where(x => x.UserId == userId && !x.IsInvalid)
+                .ToListAsync();
+
+            latestValidRefreshTokens.ForEach(x => x.MarkAsInvalid());
+            var status = await _context.SaveChangesWithChecksAsync();
+            status.IfErrorsTurnToException();
+        }
     }
 }

AuthPermissions.AspNetCore/Services/IDisableJwtRefreshToken.cs

@@ -1,20 +1,30 @@
-// Copyright (c) 2021 Jon P Smith, GitHub: JonPSmith, web: http://www.thereformedprogrammer.net/
+// Copyright (c) 2022 Jon P Smith, GitHub: JonPSmith, web: http://www.thereformedprogrammer.net/
 // Licensed under MIT license. See License.txt in the project root for license information.
 
 using System.Threading.Tasks;
 
-namespace AuthPermissions.AspNetCore.Services
+namespace AuthPermissions.AspNetCore.Services;
+
+/// <summary>
+/// This service allows you to mark the Jwt Refresh Token as 'used' so that the JWT token cannot be refreshed.
+/// There are two methods: one to allow a user to logout and another to allow a admin person log out all logins of a specific user. 
+/// </summary>
+public interface IDisableJwtRefreshToken
 {
     /// <summary>
-    /// Service to disable the current JWT Refresh Token
+    /// This allows a user to logout. The effect is that when the JWT Token expires
+    /// you cannot refresh the JWT Token because the refresh token is invalid.
+    /// If the user has multiple logins, this only logs out the login using the given refresh token.
+    /// </summary>
+    /// <param name="refreshToken"></param>
+    /// <returns></returns>
+    Task LogoutUserViaRefreshTokenAsync(string refreshToken);
+
+    /// <summary>
+    /// This will mark all the refresh tokens linked to this userid will be marked as invalid,
+    /// which means the user cannot refresh the JWT Token. If the user has multiple logins,
+    /// then all the users logins will marked as a invalid. 
     /// </summary>
-    public interface IDisableJwtRefreshToken
-    {
-        /// <summary>
-        /// This will mark the latest, valid RefreshToken as invalid.
-        /// Call this a) when a user logs out, or b) you want to log out an active user when the JTW times out
-        /// </summary>
-        /// <param name="userId"></param>
-        Task MarkJwtRefreshTokenAsUsedAsync(string userId);
-    }
+    /// <param name="userId"></param>
+    Task LogoutUserViaUserIdAsync(string userId);
 }

Example2.WebApiWithToken.IndividualAccounts/Controllers/AuthenticateController.cs

@@ -112,16 +112,15 @@ public async Task<ActionResult<TokenAndRefreshToken>> RefreshAuthentication(Toke
         }
 
         /// <summary>
-        /// This will mark the JST refresh as used, so the user cannot refresh the JWT Token
+        /// This will mark the JST refresh as used, so the user cannot refresh the JWT Token.
         /// </summary>
         /// <returns></returns>
         [Authorize]
         [HttpPost]
         [Route("logout")]
-        public async Task<ActionResult> Logout([FromServices]IDisableJwtRefreshToken service)
+        public async Task<ActionResult> Logout([FromServices]IDisableJwtRefreshToken service, string refreshToken)
         {
-            var userId = User.GetUserIdFromUser();
-            await service.MarkJwtRefreshTokenAsUsedAsync(userId);
+            await service.LogoutUserViaRefreshTokenAsync(refreshToken);
 
             return Ok();
         }

ReleaseNotes.md

@@ -2,6 +2,7 @@
 
 ## 3.5.0
 
+- BREAKING CHANGE (small): The DisableJwtRefreshToken service has been updated to handle multiple logins from one user
 - BREAKING CHANGE (small): Changed TenantChangeCookieEvent name to SomethingChangedCookieEvent
 - Improved feature: AuthPermissionsDbContext now takes mutiple IDatabaseStateChangeEvent
 - Improved feature: No AuthP database event change listeners will be triggered during bulk loading

Test/UnitTests/TestAuthPermissions/TestTokenBuilderAndRefresh.cs

@@ -209,7 +209,7 @@ public async Task RefreshTokenUsingRefreshTokenAsyncRefreshHasExpired()
         }
 
         [Fact]
-        public async Task TestMarkJwtRefreshTokenAsUsedAsync()
+        public async Task TestLogoutUserViaRefreshTokenAsync_TwoSameUsers()
         {
             //SETUP
             var options = SqliteInMemory.CreateOptions<AuthPermissionsDbContext>();
@@ -218,22 +218,66 @@ public async Task TestMarkJwtRefreshTokenAsUsedAsync()
 
             var setup = new SetupTokenBuilder(context);
             await setup.TokenBuilder.GenerateTokenAndRefreshTokenAsync("User1");
+            await setup.TokenBuilder.GenerateTokenAndRefreshTokenAsync("User1");
+
+            var refreshTokensSet = context.RefreshTokens.OrderBy(x => x.AddedDateUtc);
 
-            var beforeToken = context.RefreshTokens.Single();
-            beforeToken.IsInvalid.ShouldBeFalse();
+            var firstTokenBefore = refreshTokensSet.First();
+            firstTokenBefore.IsInvalid.ShouldBeFalse();
+
+            var lastTokenBefore = refreshTokensSet.Last();
+            lastTokenBefore.IsInvalid.ShouldBeFalse();
 
             context.ChangeTracker.Clear();
             var service = new DisableJwtRefreshToken(context);
 
             //ATTEMPT
-            await service.MarkJwtRefreshTokenAsUsedAsync("User1");
+            await service.LogoutUserViaRefreshTokenAsync(firstTokenBefore.TokenValue);
 
             //VERIFY
             context.ChangeTracker.Clear();
-            var afterToken = context.RefreshTokens.Single();
-            afterToken.IsInvalid.ShouldBeTrue();
+
+            var firstTokenAfter = refreshTokensSet.First();
+            firstTokenAfter.IsInvalid.ShouldBeTrue();
+
+            var lastTokenAfter = refreshTokensSet.Last();
+            lastTokenAfter.IsInvalid.ShouldBeFalse();
         }
 
+        [Fact]
+        public async Task LogoutUserViaUserIdAsync_TwoSameUsers()
+        {
+            //SETUP
+            var options = SqliteInMemory.CreateOptions<AuthPermissionsDbContext>();
+            using var context = new AuthPermissionsDbContext(options);
+            context.Database.EnsureCreated();
+
+            var setup = new SetupTokenBuilder(context);
+            await setup.TokenBuilder.GenerateTokenAndRefreshTokenAsync("User1");
+            await setup.TokenBuilder.GenerateTokenAndRefreshTokenAsync("User1");
+
+            var refreshTokensSet = context.RefreshTokens.OrderBy(x => x.AddedDateUtc);
+
+            var firstTokenBefore = refreshTokensSet.First();
+            firstTokenBefore.IsInvalid.ShouldBeFalse();
+
+            var lastTokenBefore = refreshTokensSet.Last();
+            lastTokenBefore.IsInvalid.ShouldBeFalse();
+
+            context.ChangeTracker.Clear();
+            var service = new DisableJwtRefreshToken(context);
+
+            //ATTEMPT
+            await service.LogoutUserViaUserIdAsync("User1");
 
+            //VERIFY
+            context.ChangeTracker.Clear();
+
+            var firstTokenAfter = refreshTokensSet.First();
+            firstTokenAfter.IsInvalid.ShouldBeTrue();
+
+            var lastTokenAfter = refreshTokensSet.Last();
+            lastTokenAfter.IsInvalid.ShouldBeTrue();
+        }
     }
 }