add JWT revocation list

devksingh4 · devksingh4 · commit e730ba46f7d5 · 2025-07-07T15:12:26.000-05:00
diff --git a/src/api/plugins/auth.ts b/src/api/plugins/auth.ts
@@ -265,11 +265,27 @@ const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
         request.log.debug(
           `Start to verifying JWT took ${new Date().getTime() - startTime} ms.`,
         );
-        request.tokenPayload = verifiedTokenData;
-        request.username =
+        // check revocation list for token
+        const proposedUsername =
           verifiedTokenData.email ||
           verifiedTokenData.upn?.replace("acm.illinois.edu", "illinois.edu") ||
           verifiedTokenData.sub;
+        const { redisClient, log: logger } = fastify;
+        const revokedResult = await getKey<{ isInvalid: boolean }>({
+          redisClient,
+          key: `tokenRevocationList:${verifiedTokenData.uti}`,
+          logger,
+        });
+        if (revokedResult) {
+          fastify.log.info(
+            `Revoked token ${verifiedTokenData.uti} for ${proposedUsername} was attempted.`,
+          );
+          throw new UnauthenticatedError({
+            message: "Invalid token.",
+          });
+        }
+        request.tokenPayload = verifiedTokenData;
+        request.username = proposedUsername;
         const expectedRoles = new Set(validRoles);
         const cachedRoles = await getKey<string[]>({
           key: `${AUTH_CACHE_PREFIX}${request.username}:roles`,
diff --git a/src/api/routes/clearSession.ts b/src/api/routes/clearSession.ts
@@ -2,6 +2,7 @@ import { FastifyPluginAsync } from "fastify";
 import rateLimiter from "api/plugins/rateLimiter.js";
 import { withRoles, withTags } from "api/components/index.js";
 import { clearAuthCache } from "api/functions/authorization.js";
+import { setKey } from "api/functions/redisCache.js";
 
 const clearSessionPlugin: FastifyPluginAsync = async (fastify, _options) => {
   fastify.register(rateLimiter, {
@@ -26,7 +27,25 @@ const clearSessionPlugin: FastifyPluginAsync = async (fastify, _options) => {
       const username = [request.username!];
       const { redisClient } = fastify;
       const { log: logger } = fastify;
+
       await clearAuthCache({ redisClient, username, logger });
+      if (!request.tokenPayload) {
+        return;
+      }
+      const now = Date.now() / 1000;
+      const tokenExpiry = request.tokenPayload.exp;
+      const expiresIn = Math.ceil(tokenExpiry - now);
+      const tokenId = request.tokenPayload.uti;
+      // if the token expires more than 10 seconds after now, add to a revoke list
+      if (expiresIn > 10) {
+        await setKey({
+          redisClient,
+          key: `tokenRevocationList:${tokenId}`,
+          data: JSON.stringify({ isInvalid: true }),
+          logger,
+          expiresIn,
+        });
+      }
     },
   );
 };
