Invalidate token on reset password

[balvirsingh]

Symfony - 5.2.5
PHP - 7.4
URL - /reset/password
This route has public access and no token need to be passed.
Now, When user password has been reset, I want to invalidate/expire the old token of this user server-side (passing email in body).

What is the correct way to do this?

[fd6130]

Hi, I think you should open this at discussion and not issue (since this more like an Q&A).

Back to the topic, you may save the token to database after user successfully login and then every time user access your api the authenticator should look up from the table for the token. You can do anything you want from there since you have fully control of the user token (such as removing the token from database to act as invalidate, etc).

[chalasr]

Also I suggest to rely on the jti claim (a standard claim whose purpose is precisely to be able to track/revoke JWTs).
Note that I'm more and more thinking to implement such mechanism in the bundle, at least having a well integrated abstraction you can plug any storage behind would be good. Any thought on that idea?

[fd6130]

So I guess everytime user succesfully login and obtain the token, the jti will be save to database?

[balvirsingh]

What is the correct way to store token in db and validate token from db?

[mbabker]

You'll have to add in more code for whatever use cases you'll have on top of this, but, I'll share what I just implemented in a client app to handle blocking JWTs from being used in certain conditions.

1. You need to add the jti claim to the payload:

<?php declare(strict_types=1);

namespace App\EventListener;

use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTCreatedEvent;
use Lexik\Bundle\JWTAuthenticationBundle\Events;
use Symfony\Component\EventDispatcher\Attribute\AsEventListener;

final class AddClaimsToJWTListener
{
    #[AsEventListener(event: Events::JWT_CREATED)]
    public function __invoke(JWTCreatedEvent $event): void
    {
        $data = $event->getData();

        if (!isset($data['jti'])) {
            $data['jti'] = bin2hex(random_bytes(16));

            $event->setData($data);
        }
    }
}

2. You need to add the JWT to some kind of storage backend on key events (in this example, we catch login failures for certain exception types and all logouts):

namespace App\EventListener;

use App\JWT\BlockedTokenManager;
use App\JWT\Exception\MissingClaimException;
use Lexik\Bundle\JWTAuthenticationBundle\Exception\JWTDecodeFailureException;
use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTTokenManagerInterface;
use Lexik\Bundle\JWTAuthenticationBundle\TokenExtractor\TokenExtractorInterface;
use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Core\Exception\DisabledException;
use Symfony\Component\Security\Http\Event\LoginFailureEvent;
use Symfony\Component\Security\Http\Event\LogoutEvent;

final class BlockJWTListener
{
    public function __construct(
        private readonly BlockedTokenManager $tokenManager,
        private readonly TokenExtractorInterface $tokenExtractor,
        private readonly JWTTokenManagerInterface $jwtManager,
    ) {
    }

    #[AsEventListener(dispatcher: 'security.event_dispatcher.internal_api')]
    public function onLoginFailure(LoginFailureEvent $event): void
    {
        if ($event->getException() instanceof DisabledException) {
            $this->blockTokenFromRequest($event->getRequest());
        }
    }

    #[AsEventListener(dispatcher: 'security.event_dispatcher.internal_api')]
    public function onLogout(LogoutEvent $event): void
    {
        $this->blockTokenFromRequest($event->getRequest());
    }

    private function blockTokenFromRequest(Request $request): void
    {
        $token = $this->tokenExtractor->extract($request);

        if ($token === false) {
            // There's nothing to block if the token isn't in the request
            return;
        }

        try {
            $payload = $this->jwtManager->parse($token);
        } catch (JWTDecodeFailureException) {
            // Ignore decode failures, this would mean the token is invalid anyway
            return;
        }

        try {
            $this->tokenManager->add($payload);
        } catch (MissingClaimException) {
            // We can't block a token missing the claims our system requires, so silently ignore this one
        }
    }
}

3. You need some kind of storage layer to track blocked tokens, we're dumping this data into our Redis instance so that the blocked token data falls out of storage shortly after the JWT would normally expire (this class could have an interface built in front of it and if someone wanted to use a different storage, i.e. database, then that wouldn't be all that impractical):

namespace App\JWT;

use App\JWT\Exception\MissingClaimException;
use Psr\Cache\CacheItemPoolInterface;

class BlockedTokenManager
{
    public function __construct(private readonly CacheItemPoolInterface $cacheJwt)
    {
    }

    /**
     * @throws MissingClaimException if required claims do not exist in the payload
     */
    public function add(array $payload): bool
    {
        if (!isset($payload['exp'])) {
            throw new MissingClaimException('exp');
        }

        $expiration = new \DateTime('@' . $payload['exp'], new \DateTimeZone('UTC'));
        $now        = new \DateTime(timezone: new \DateTimeZone('UTC'));

        // If the token is already expired, there's no point in adding it to storage
        if ($expiration <= $now) {
            return false;
        }

        $cacheExpiration = (clone $expiration)->add(new \DateInterval('PT5M'));

        if (!isset($payload['jti'])) {
            throw new MissingClaimException('jti');
        }

        $cacheItem = $this->cacheJwt->getItem($payload['jti']);
        $cacheItem->set([]);
        $cacheItem->expiresAt($cacheExpiration);

        $this->cacheJwt->save($cacheItem);

        return true;
    }

    /**
     * @throws MissingClaimException if required claims do not exist in the payload
     */
    public function has(array $payload): bool
    {
        if (!isset($payload['jti'])) {
            throw new MissingClaimException('jti');
        }

        return $this->cacheJwt->hasItem($payload['jti']);
    }

    /**
     * @throws MissingClaimException if required claims do not exist in the payload
     */
    public function remove(array $payload): void
    {
        if (!isset($payload['jti'])) {
            throw new MissingClaimException('jti');
        }

        $this->cacheJwt->deleteItem($payload['jti']);
    }
}

namespace App\JWT\Exception;

final class MissingClaimException extends \RuntimeException
{
    public function __construct(
        public readonly string $claim,
        int $code = 0,
        \Throwable $previous = null,
    ) {
        parent::__construct(sprintf('Missing required "%s" claim on JWT payload.', $claim), $code, $previous);
    }
}

4. Now that you have something tracking blocked tokens, you can prevent them from being used when authenticating:

namespace App\EventListener;

use App\JWT\BlockedTokenManager;
use App\JWT\Exception\MissingClaimException;
use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTAuthenticatedEvent;
use Lexik\Bundle\JWTAuthenticationBundle\Events;
use Lexik\Bundle\JWTAuthenticationBundle\Exception\InvalidTokenException;
use Symfony\Component\EventDispatcher\Attribute\AsEventListener;

final class RejectBlockedTokenListener
{
    public function __construct(private readonly BlockedTokenManager $tokenManager)
    {
    }

    /**
     * @throws InvalidTokenException if the JWT is blocked
     */
    #[AsEventListener(event: Events::JWT_AUTHENTICATED)]
    public function __invoke(JWTAuthenticatedEvent $event): void
    {
        try {
            if ($this->tokenManager->has($event->getPayload())) {
                throw new InvalidTokenException('JWT blocked');
            }
        } catch (MissingClaimException) {
            // Do nothing if the required claims do not exist on the payload (older JWTs won't have the "jti" claim the manager requires)
        }
    }
}

We haven't done anything in our app to deal with invalidating tokens on key events such as on a password change, nor are we tracking issued/active JWTs anywhere in storage. But with this infrastructure, you'd really just need to add a database table to track a user and all of their active JWTs (an entity with a relation to your User object and the jti claim value would be the minimum info; you could also add in the exp claim so that you can routinely clean the database after tokens expire) and then use domain events to trigger the blocker service.

[chalasr]

Thanks a lot for sharing @mbabker!

[yalagin]

just set invalidation date("now") in user table and then check jwt with "iat" against this date

[thorge]

Why not consider integrating invalidating tokens as an option within the LexikJWTAuthenticationBundle? It appears to be a highly requested feature.

[mbabker]

There isn't anything baked into the framework to deal with password reset stuff, all the cases where a user would change their password (through a page when logged in, a password reset workflow, etc.) are all things an application takes care of on their own. So there isn't anything this bundle can hook into to automatically do something.