-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
馃悰 Bug Report: JWT still valid after Session Timeout #8000
Comments
@jschmidtww, thanks for creating this issue! 馃檹馃徏 It looks like we check it's a valid JWT token, and there's an associated session: Lines 1199 to 1218 in b4bd48c
but we don't check the session ID to see if it's still valid like we do here: Line 1184 in b4bd48c
|
Hi @stnguyen90 can I pick this issue? before that can you confirm these things for me please |
@IshmeetSingh06, assigned! Thanks for your interest! You can do it in the block. Please also make sure to set Line 1165 in b4bd48c
|
Hello @stnguyen90 @jschmidtww I have made the changes but unfortunately I was not able to reproduce and verify the issue locally, can you list the reproduction steps it would help me a lot. |
@IshmeetSingh06, you can reproduce by:
|
@IshmeetSingh06 are you working on the issue?? |
Hi @ShivanshCharak I've worked on a possible fix but was not able to test it thoroughly due to being busy at work you can pick this up if you want to |
@IshmeetSingh06, thanks for the update! @ShivanshCharak, I've assigned this issue to you. |
@ShivanshCharak, how's your progress on this? FYI, I'll need to un-assign you soon if I don't hear back. |
馃憻 Reproduction steps
I use JWT to authenticate a user on my API server. I use the /account endpoint to verify the JWT. If the user is logged out because the session has expired, the JWT is still valid and I still get a successful response when I call /account with the user's JWT.
馃憤 Expected behavior
The JWT should be invalid after the user is logged out and calling /account with users JWT should throw an error.
馃憥 Actual Behavior
Calling /account with the users JWT gives a successful response.
Discord thread: https://discord.com/channels/564160730845151244/1221805690050445362
馃幉 Appwrite version
Version 1.4.x
馃捇 Operating system
Linux
馃П Your Environment
I use Self-Hosted Appwrite Version 1.4.13
馃憖 Have you spent some time to check if this issue has been raised before?
馃彚 Have you read the Code of Conduct?
The text was updated successfully, but these errors were encountered: