fix(authentication-service): terminate JWT token (#2212)

* fix(authentication-service): terminate JWT token

JWT not terminated after logout lead to sensitive data exposure | terminate JWT token after logout

GH-2167

* fix(authentication-service): terminate JWT token

reverted unnecessary updated files to previous versions

GH-2167

* fix(authentication-service): fix typo in README.md
fix for typo in README.md
GH-2167

---------

Co-authored-by: Karunesh Mani Tripathi <[email protected]>
Co-authored-by: yeshamavani <[email protected]>

Author: 3 people

services/authentication-service/src/modules/auth/controllers/logout.controller.ts

@@ -28,6 +28,7 @@ import {
 import {encode} from 'base-64';
 import crypto from 'crypto';
 import {HttpsProxyAgent} from 'https-proxy-agent';
+import jwt from 'jsonwebtoken';
 import {
   authenticate,
   AuthenticationBindings,
@@ -56,6 +57,7 @@ import {
   UserTenantRepository,
 } from '../../../repositories';
 import {ActorId, IUserActivity} from '../../../types';
+import {TokenPayload} from '../interfaces';
 
 const proxyUrl = process.env.HTTPS_PROXY ?? process.env.HTTP_PROXY;
 
@@ -70,6 +72,7 @@ const size = 16;
 const SUCCESS_RESPONSE = 'Success Response';
 const AUTHENTICATE_USER =
   'This is the access token which is required to authenticate user.';
+
 export class LogoutController {
   constructor(
     @inject(RestBindings.Http.REQUEST) private readonly req: Request,
@@ -136,15 +139,21 @@ export class LogoutController {
         AuthenticateErrorKeys.TokenMissing,
       );
     }
-
     const refreshTokenModel = await this.refreshTokenRepo.get(req.refreshToken);
     if (!refreshTokenModel) {
       throw new HttpErrors.Unauthorized(AuthErrorKeys.TokenExpired);
     }
     if (refreshTokenModel.accessToken !== token) {
       throw new HttpErrors.Unauthorized(AuthErrorKeys.TokenInvalid);
     }
-    await this.revokedTokens.set(token, {token});
+    const expiry = this.decodeAndGetExpiry(token);
+    await this.revokedTokens.set(
+      token,
+      {token},
+      {
+        ttl: expiry,
+      },
+    );
     await this.refreshTokenRepo.delete(req.refreshToken);
     if (refreshTokenModel.pubnubToken) {
       await this.refreshTokenRepo.delete(refreshTokenModel.pubnubToken);
@@ -517,4 +526,27 @@ export class LogoutController {
       });
     }
   }
+
+  /**
+   * The function decodes a JWT token and returns the expiration time in milliseconds.
+   * @param {string} token - The `token` parameter is a string that represents a JSON Web Token (JWT).
+   * @returns the expiry time of the token in milliseconds.
+   */
+  /**
+   * Decodes the given token and retrieves the expiry timestamp.
+   *
+   * @param token - The token to decode.
+   * @returns The expiry timestamp in milliseconds.
+   */
+  decodeAndGetExpiry(token: string): number | null {
+    const tokenData = jwt.decode(token) as TokenPayload | null; // handle null result from decode
+    const ms = 1000;
+
+    if (tokenData?.exp) {
+      return tokenData.exp * ms;
+    }
+
+    // If tokenData or exp is missing, return null to indicate no expiry
+    return null;
+  }
 }

services/authentication-service/src/modules/auth/interfaces/index.ts

@@ -0,0 +1 @@
+export * from './token.interface';

services/authentication-service/src/modules/auth/interfaces/token.interface.ts

@@ -0,0 +1,20 @@
+export interface BaseTokenPayload {
+  exp?: number; // Optional because the token may not have an expiration field
+  iat?: number;
+}
+
+/**
+ * @interface TokenPayload
+ * @extends BaseTokenPayload
+ *
+ * Represents the payload of a token used for authentication.
+ *
+ * @property {string} userId - The unique identifier of the user.
+ * @property {string} email - The email address of the user.
+ * @property {string[]} roles - An array of roles assigned to the user.
+ */
+export interface TokenPayload extends BaseTokenPayload {
+  userId: string;
+  email: string;
+  roles: string[];
+}