fix(core): revoke active JWT tokens after logout by Sourav-kashyap · Pull Request #2571 · sourcefuse/loopback4-microservice-catalog

Sourav-kashyap · 2026-06-19T12:50:10Z

JWT Logout Security Fix

Problem Statement

Security Vulnerability: JWT Tokens Remain Valid After Logout

Issue: When a user logs out of the system, their JWT access token remains valid until its natural expiration time, allowing the token to be used for authenticated requests even after logout.

Impact: This creates a security vulnerability where:

Logged-out users retain access to protected APIs until their JWT naturally expires
Session invalidation through logout is ineffective
In case of security incidents, compromised tokens cannot be immediately revoked
Access token lifetime becomes the effective session lifetime, regardless of logout

Type of change

Bug fix (non-breaking change which fixes an issue)

Checklist:

Performed a self-review of my own code
npm test passes on your machine

Build:

Test:

revoke active JWT tokens after logout GH-2570

sonarqubecloud · 2026-06-19T12:51:08Z

SonarQube reviewer guide

Summary: Add token revocation checking to bearer token verification by introducing a utility function that validates tokens against a revoked token repository across both symmetric and asymmetric token verifiers.

Review Focus:

The new checkIfTokenRevoked utility's error handling strategy—it silently logs repository errors rather than failing verification. Verify this graceful degradation approach is intentional and acceptable for security.
Ensure the revocation check executes early enough in the verification flow to prevent unnecessary downstream processing.
Confirm the RevokedTokenRepository.get() method efficiently handles token lookups.

Start review at: packages/core/src/components/bearer-verifier/providers/utils/revoked-token-checker.util.ts. This is the core security logic; understanding its error handling and performance characteristics is essential before reviewing its integration points.

💬 Please send your feedback

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

samarpan-b · 2026-06-20T03:22:34Z

  value(): VerifyFunction.BearerFn {
    return async (token: string) => {
+      // Check if token has been revoked
+      await checkIfTokenRevoked(token, this.revokedTokenRepo, this.logger);


where are we revoking this token actually ?

fix(core): revoke active JWT tokens after logout

a841547

revoke active JWT tokens after logout GH-2570

Sourav-kashyap requested review from a-ganguly and yeshamavani June 19, 2026 12:50

Sourav-kashyap self-assigned this Jun 19, 2026

Sourav-kashyap requested a review from a team as a code owner June 19, 2026 12:50

Sourav-kashyap linked an issue Jun 19, 2026 that may be closed by this pull request

Security Vulnerability: JWT Tokens Remain Valid After Logout #2570

Open

samarpan-b requested changes Jun 20, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(core): revoke active JWT tokens after logout#2571

fix(core): revoke active JWT tokens after logout#2571
Sourav-kashyap wants to merge 1 commit into
masterfrom
GH-2570

Sourav-kashyap commented Jun 19, 2026

Uh oh!

sonarqubecloud Bot commented Jun 19, 2026

Uh oh!

samarpan-b Jun 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Sourav-kashyap commented Jun 19, 2026

JWT Logout Security Fix

Problem Statement

Security Vulnerability: JWT Tokens Remain Valid After Logout

Type of change

Checklist:

Build:

Test:

Uh oh!

sonarqubecloud Bot commented Jun 19, 2026

SonarQube reviewer guide

Quality Gate passed

Uh oh!

samarpan-b Jun 20, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants