Issue: When a user logs out of the system, their JWT access token remains valid until its natural expiration time, allowing the token to be used for authenticated requests even after logout.
Impact: This creates a security vulnerability where:
- Logged-out users retain access to protected APIs until their JWT naturally expires
- Session invalidation through logout is ineffective
- In case of security incidents, compromised tokens cannot be immediately revoked
- Access token lifetime becomes the effective session lifetime, regardless of logout
Affected Components:
- All microservices using
@sourceloop/core's BearerVerifierComponent with BearerVerifierType.service
- Services using default
ServiceSequence for request handling
Not Affected:
- Authentication Service (uses custom
BearerTokenVerifyProvider)
- Facade Services (use
FacadesBearerAsymmetricTokenVerifyProvider)
Issue: When a user logs out of the system, their JWT access token remains valid until its natural expiration time, allowing the token to be used for authenticated requests even after logout.
Impact: This creates a security vulnerability where:
Affected Components:
@sourceloop/core'sBearerVerifierComponentwithBearerVerifierType.serviceServiceSequencefor request handlingNot Affected:
BearerTokenVerifyProvider)FacadesBearerAsymmetricTokenVerifyProvider)