Make JWT token invalid after logout in Angular

Question

I am using jwt token with spring security tuto .

After successfully generating the token on login and passing it to my angular application in localStorage object. I have one problem that on logout I delete the token but still using the same token I can hit secured api through Postman.

How can i delete the user token when he goes to logout url of the front application ?

Updated: I created this logout function in my service:

public void logout(HttpServletRequest request){
    if(request != null){
        String authHeader = request.getHeader("Authorization");
        if (authHeader != null) {
            String tokenValue = authHeader.replaceFirst("(?i)" + "bearer", "").trim();
            log.info("Token to remove value = {}", tokenValue);
            OAuth2AccessToken accessToken = tokenStore.readAccessToken(tokenValue);
            if (accessToken != null) {
                tokenStore.removeAccessToken(accessToken);
                log.info("Token has been removed");
            }
            else{
                log.info("accessToken not found");
            }
            log.info("logging ");
        }
        
    }
    
    
}

The logic thing to happen is that the token provided to the logout url gets deleted from my mongo database but when i login again i get the same token generated.

how you are deleting token in UI and if you delete the token in UI that does not mean it has to be expired.. — Ganesh, Jun 15 '21 at 15:51
yes, We need to set the expire time in order make particular token invalid. — Ganesh, Jun 15 '21 at 16:01

score 2 · Answer 1 · answered Jun 15 '21 at 15:41

2

JWT is a stateless approach so this means validating JWT token you should not really go into database, as this loses the statelessness. So this is in one word. Not possible. That is why your JWT token should be short lived.so that, the token will be inactive within sometime.

answered Jun 15 '21 at 15:41

Pathikrit Sanyal

66
4

check my new question : https://stackoverflow.com/questions/68032927/logout-wont-delete-the-user-token – Youssef Boudaya Jun 18 '21 at 14:08
the above link is not working. showing not found error. – Viswa Nov 09 '21 at 15:19

Ganesh · Answer 2 · 2021-06-18T13:58:11.707

We can not control JWT token that is provided by Server. Only thing that we can do is delete it for that particular session (either it's browser login session or tab specific).

In front end we check for valid JWT token which might also have user info for every user login and going delete (only in browser storages like cookies, local storage or session storage) it on particular session expiry like logout but we are not going to delete on server side because it's Stateless.

We will not validate new token with old one, because it might be same if it did not exceed the token expiration time.

For your actual question answer is, if we delete the token in frond end that intend to be stop user for that session and request another token if he login again but that does not mean to be invalidate or expire currently using token for it's lifetime.

So token still might be valid if you take the same to request secure api.

JWT token only controlled by it's expiration time setup on server side. You can check here for more info about it:

Don't confuse between deleting and setting the expiration time. There might be lesser situations to use the same token from different devices (like application login, postman and etc..).

check my new question : https://stackoverflow.com/questions/68032927/logout-wont-delete-the-user-token — Youssef Boudaya, Jun 18 '21 at 14:08

Make JWT token invalid after logout in Angular

2 Answers2