Improved invalidation of JWT in redis (#139)

* Improved invalidation of JWT in redis * use jwt as default value in generateRedisKey * import logger in app.js --------- Co-authored-by: Markus Frindt <m.frindt@cognigy.com>
2026-01-25 02:08:24 +00:00 · 2023-03-31 22:19:34 +02:00
parent 57110ede76
commit 97b17d9e1d
14 changed files with 207 additions and 55 deletions
--- a/lib/auth/index.js
+++ b/lib/auth/index.js
@@ -1,41 +1,42 @@
 const Strategy = require('passport-http-bearer').Strategy;
 const {getMysqlConnection} = require('../db');
-const {hashString} = require('../utils/password-utils');
 const debug = require('debug')('jambonz:api-server');
+const {cacheClient} = require('../helpers');
 const jwt = require('jsonwebtoken');
 const sql = `
  SELECT *
  FROM api_keys
  WHERE api_keys.token = ?`;

-function makeStrategy(logger, retrieveKey) {
+function makeStrategy(logger) {
  return new Strategy(
    async function(token, done) {
-      //logger.debug(`validating with token ${token}`);
      jwt.verify(token, process.env.JWT_SECRET, async(err, decoded) => {
        if (err) {
          if (err.name === 'TokenExpiredError') {
            logger.debug('jwt expired');
            return done(null, false);
          }
-          /* its not a jwt obtained through login, check api leys */
+          /* its not a jwt obtained through login, check api keys */
          checkApiTokens(logger, token, done);
        }
        else {
-          /* validated -- make sure it is not on blacklist */
          try {
-            const s = `jwt:${hashString(token)}`;
-            const result = await retrieveKey(s);
-            if (result) {
-              debug(`result from searching for ${s}: ${result}`);
+            const {user_sid} = decoded;
+            /* Valid jwt tokens are stored in redis by hashed user_id */
+            const redisKey = cacheClient.generateRedisKey('jwt', user_sid, 'v2');
+            const result = await cacheClient.get(redisKey);
+            if (result === null) {
+              debug(`result from searching for ${redisKey}: ${result}`);
              logger.info('jwt invalidated after logout');
              return done(null, false);
            }
-          } catch (err) {
+          } catch (error) {
            debug(err);
-            logger.info({err}, 'Error checking blacklist for jwt');
+            logger.info({err}, 'Error checking redis for jwt');
          }
-          const {user_sid, service_provider_sid, account_sid, email, name, scope, permissions} = decoded;
+          const { user_sid, service_provider_sid, account_sid, email, name, scope, permissions } = decoded;
+
          const user = {
            service_provider_sid,
            account_sid,