8000 🐛 Bug Report: JWT still valid after Session Timeout · Issue #8000 · appwrite/appwrite · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

🐛 Bug Report: JWT still valid after Session Timeout #8000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 tasks done
jschmidtww opened this issue Apr 22, 2024 · 29 comments
Open
2 tasks done

🐛 Bug Report: JWT still valid after Session Timeout #8000

jschmidtww opened this issue Apr 22, 2024 · 29 comments
Assignees
@Souptik2001
Labels
bug Something isn't working good first issue Good for newcomers product / auth Fixes and upgrades for the Appwrite Auth / Users / Teams services.

Comments

@jschmidtww
Copy link
jschmidtww commented Apr 22, 2024
edited by stnguyen90
Loading

👟 Reproduction steps

I use JWT to authenticate a user on my API server. I use the /account endpoint to verify the JWT. If the user is logged out because the session has expired, the JWT is still valid and I still get a successful response when I call /account with the user's JWT.

👍 Expected behavior

The JWT should be invalid after the user is logged out and calling /account with users JWT should throw an error.

👎 Actual Behavior

Calling /account with the users JWT gives a successful response.

Discord thread: https://discord.com/channels/564160730845151244/1221805690050445362

🎲 Appwrite version

Version 1.4.x

💻 Operating system

Linux

🧱 Your Environment

I use Self-Hosted Appwrite Version 1.4.13

👀 Have you spent some time to check if this issue has been raised before?

  • I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?
@jschmidtww jschmidtww added the bug Something isn't working label Apr 22, 2024
@stnguyen90 stnguyen90 added product / auth Fixes and upgrades for the Appwrite Auth / Users / Teams services. good first issue Good for newcomers labels Apr 22, 2024
@stnguyen90
Copy link
Contributor

@jschmidtww, thanks for creating this issue! 🙏🏼 It looks like we check it's a valid JWT token, and there's an associated session:

appwrite/app/init.php

Lines 1199 to 1218 in b4bd48c

if (!empty($authJWT) && !$project->isEmpty()) { // JWT authentication
$jwt = new JWT(System::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 900, 10); // Instantiate with key, algo, maxAge and leeway.
try {
$payload = $jwt->decode($authJWT);
} catch (JWTException $error) {
throw new Exception(Exception::USER_JWT_INVALID, 'Failed to verify JWT. ' . $error->getMessage());
}
$jwtUserId = $payload['userId'] ?? '';
$jwtSessionId = $payload['sessionId'] ?? '';
if ($jwtUserId && $jwtSessionId) {
$user = $dbForProject->getDocument('users', $jwtUserId);
}
if (empty($user->find('$id', $jwtSessionId, 'sessions'))) { // Match JWT to active token
$user = new Document([]);
}
}

but we don't check the session ID to see if it's still valid like we do here:

appwrite/app/init.php

Line 1184 in b4bd48c

|| !Auth::sessionVerify($user->getAttribute('sessions', []), Auth::$secret)

@IshmeetSingh06
Copy link

Hi @stnguyen90 can I pick this issue?

before that can you confirm these things for me please
-> From what I understood from the issue description and your comment we need to check wether the session_id associated with that JWT is valid or not, should we check this inside the line:1211 block after getting the user or keep it a separate condition?

@stnguyen90
Copy link
Contributor

@IshmeetSingh06, assigned! Thanks for your interest! You can do it in the block. Please also make sure to set Auth::unique like here:

appwrite/app/init.php

Line 1165 in b4bd48c

Auth::$unique = $session['id'] ?? '';

@stnguyen90 stnguyen90 mentioned this issue Apr 26, 2024
Open
2 tasks
@IshmeetSingh06
Copy link

Hello @stnguyen90 @jschmidtww I have made the changes but unfortunately I was not able to reproduce and verify the issue locally, can you list the reproduction steps it would help me a lot.

@stnguyen90
Copy link
Contributor

@IshmeetSingh06, you can reproduce by:

  1. setting the session length (Auth > Security > Session length) to some small length
  2. signing in
  3. creating a JWT
  4. verify calling account.get() with JWT works
  5. wait for the session timeout
  6. call account.get() again

@stnguyen90 stnguyen90 moved this to In Progress in 1.5 release May 3, 2024
@ShivanshCharak
Copy link

@IshmeetSingh06 are you working on the issue??

@IshmeetSingh06
Copy link

Hi @ShivanshCharak I've worked on a possible fix but was not able to test it thoroughly due to being busy at work you can pick this up if you want to

@stnguyen90
Copy link
Contributor

@IshmeetSingh06, thanks for the update! @ShivanshCharak, I've assigned this issue to you.

@stnguyen90
Copy link
Contributor

@ShivanshCharak, how's your progress on this? FYI, I'll need to un-assign you soon if I don't hear back.

@stnguyen90 stnguyen90 mentioned this issue May 28, 2024
Merged
3 tasks
@Suvrajit69
Copy link
Suvrajit69 commented Jun 1, 2024
edited
Loading

I want to work on this issue. How can I set up this in my pc ? I am using ubuntu. Is unix commands work for me as per the docs?

@Afrin127329
Copy link

I want to work on this issue. How can I set up this in my pc ? I am using ubuntu. Is unix commands work for me as per the docs?

For contributing to appwrite, a good start can be this file: https://github.com/appwrite/appwrite/blob/main/CONTRIBUTING.md

About the unix commands, it depends on the ubunutu version you're using. Common commands like ls, mkdir etc. should be available.

@stnguyen90
Copy link
Contributor

Unassigned @ShivanshCharak due to inactivity.

Assigned to @Suvrajit69. Thanks for your interest! 🙏🏼 Yes, you should be able to follow the contributing docs.

@Afrin127329
Copy link

I am already working on this since you were delaying 🙃

@stnguyen90
Copy link
Contributor

@Afrin127329, especially if multiple people ask to work on an issue, please do not work on it as we don't want multiple people working on the same issue and then one person's work would be wasted.

@Suvrajit69
Copy link

I am working on it.

@Afrin127329
Copy link
Afrin127329 commented Jun 8, 2024
edited
Loading

@Afrin127329, especially if multiple people ask to work on an issue, ple 8000 ase do not work on it as we don't want multiple people working on the same issue and then one person's work would be wasted.

Thanks. This issue was quite old and inactive. That's why I picked it up. Won't make anymore PRs or mentions.

Don't wanna bother anyone.

@Suvrajit69
Copy link

@stnguyen90 account.createJWT() does not work for me.

try {
      await account.create(ID.unique(), "user@example.com", "password");
      console.log("User created.");
    } catch (error) {
      if (error.code !== 409) {
        // Ignore "user already exists" error
        console.error("Error creating user:", error);
        return;
      }
    }

    // Log in the user
    const session = await account.createEmailPasswordSession(
      "user@example.com",
      "password"
    );
    console.log("User logged in:", session);

    // Generate a JWT
    const jwt = await account.createJWT();
    console.log("JWT:", jwt.jwt);

Also account.createSession() did not work. So I use account.createEmailPasswordSession(). Can you please check this code.

@stnguyen90
Copy link
Contributor

@Suvrajit69, if you're using the web sdk, it has to be done in the browser so that the cookie or fallback header is used to persist the session for subsequent API calls.

@Suvrajit69
Copy link

@Afrin127329 you can try this issue. I am giving up.

@Afrin127329
Copy link

@Afrin127329 you can try this issue. I am giving up.

I can't since I am not assigned. Don't worry someone else will pick this up

@Suvrajit69
Copy link
Suvrajit69 commented Jun 13, 2024
edited
Loading

@Afrin127329 If you really passionate or you said you were working on it is true. Then you should at least try and if you done raise a pr even without assigned.

@Suvrajit69 Suvrajit69 removed their assignment Jun 13, 2024
@stnguyen90
Copy link
Contributor

@Suvrajit69, we prefer to only have the assignee work on an issue so that multiple people don't work on the same thing leading to duplicate work.

@Afrin127329, I'll assign this to you now that @Suvrajit69 doesn't want to work on this. Let me know if you aren't able to work on this and I'll unassign you.

@Afrin127329
Copy link

Please unassign

@Souptik2001 Souptik2001 mentioned this issue Jun 25, 2024
Open
2 tasks
@Souptik2001
Copy link
Contributor

@stnguyen90 As this issue was not assigned to anyone as per the last comment, I just inserted the change required for this issue in this PR - #8313

Ref comment - #8313 (comment)

@yourdeepanshuverma
Copy link

@stnguyen90 hey, if no one is assigned i want work on this issue.

@kartik1112
Copy link

@stnguyen90 is it done or can i work on this?

@stnguyen90 stnguyen90 mentioned this issue Jul 26, 2024
Merged
2 tasks
@mayankpmahajan
Copy link

@stnguyen90 Hey, if nobody is working on this issue, can it be assigned to me?

@baraich
Copy link
baraich commented Oct 1, 2024

@stnguyen90, Hi hope you are doing good. Skimming through the conversation, the issue was somewhat resolved, I wanted to know, has the issue been resolved. If no, could you assign the issue to me.

Thanks.

@shreykx
Copy link
shreykx commented Oct 10, 2024

anyone assigned?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Souptik2001 Souptik2001

Labels
bug Something isn't working good first issue Good for newcomers product / auth Fixes and upgrades for the Appwrite Auth / Users / Teams services.
Projects
1.5 release
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
0