implementation of token blacklist for an JWT access token?

[estebanz01]

Hola! 👋

I'm rewriting an authentication service from django/python to ruby with rodauth/sinatra. The authentication method is using JWT tokens which I managed to replicate pretty easily with this gem, but there's still something that I cannot comprehend quite well or maybe is not implemented yet, where after a /logout is issued, the specified access token should be added to a blacklist.

Is this something that I need to do manually? if so, any guides on how to implement it on my side? Here's what I have:

# rodauth.rb
class RodauthApp < Roda
  # It is not a Roda app
  plugin :middleware

  # Enable rodauth in JSON api mode only.
  plugin :rodauth, json: :only do
    session_secret_value = ENV.fetch('SESSION_SECRET') { SecureRandom.hex(256) }

    # Feature enabling
    enable :login, :logout, :create_account, :json, :jwt

    # General HMAC secret value to be used in multiple features
    hmac_secret session_secret_value
  end

  # Define Rodauth routes in rack middleware and expose rodauth object to Sinatra.
  route do |r|
    env['rodauth'] = rodauth
    r.rodauth
  end
end

# Inject rodauth definition into middleware
use RodauthApp

# app.rb

require_relative 'rodauth'

# validate for Authorization header with valid JWT token
post '/random' do
  rodauth = request.env['rodauth']
  rodauth.require_authentication

  "pong: #{request.body.read}"  
end

[jeremyevans]

You can use the active_sessions feature (which uses a whitelist approach instead of a blacklist approach: https://rodauth.jeremyevans.net/rdoc/files/doc/active_sessions_rdoc.html

[estebanz01]

Interesting. I thought this was only for cookie sessions only. I'll give it a try, thanks!

[estebanz01]

This is what I ended up doing, for posterity:

Rodauth:

# rodauth.rb
class RodauthApp < Roda
  # It is not a Roda app
  plugin :middleware

  # Enable rodauth in JSON api mode only.
  plugin :rodauth, json: :only do
    session_secret_value = ENV.fetch('SESSION_SECRET') { SecureRandom.hex(256) }

    # Feature enabling
    enable :login, :logout, :create_account, :active_sessions, :json, :jwt

    # General HMAC secret value to be used in multiple features
    hmac_secret session_secret_value

    # login configuration
    login_param 'email' # default is 'login'
  end

  # Define Rodauth routes in rack middleware and expose rodauth object to Sinatra.
  route do |r|
    env['rodauth'] = rodauth
    r.rodauth
  end
end

# Inject rodauth definition into middleware
use RodauthApp

App helper:

# rodauth/authentication.rb
module Rodauth
  module Authentication
    # Expose rodauth object.
    # Idea extracted from https://github.com/davydovanton/rodauth_hanami/blob/master/apps/auth/helpers/authentication.rb#L37
    def rodauth
      request.env['rodauth']
    end

    def check_authentication
      rodauth.require_authentication
      rodauth.check_active_session
    end
  end
end

App:

# app.rb
# Setup rodauth
require_relative 'rodauth'

helpers Rodauth::Authentication

# Define routes here.
get '/' do
  check_authentication

  "Hola Mundo"
end

post '/random' do
  check_authentication
  "Hola: #{Random(1..6)}"
end