Jwt revocation question

Gireg · June 25, 2021, 5:06pm

Hello,
I had a security expert scan my servers and they warned me about a potential medium risk security issue about the revocation of the session token.

So the code uses

app.use(
  jwt({
    secret: process.env.FOREST_AUTH_SECRET,
    algorithms: ["HS256"],
    credentialsRequired: false,
  })
);

But this JWT is not revoked anywhere.

The concern is about this scenario:
As a Forest-Admin authorized user, I log in to my Forest-Admin account and open one of my projects.
If I click disconnect, then leave the computer open, is a hacker able to replay my JWT to perform actions on the database ?

forest-express-sequelize: 7.7.0
Express Version: ~4.17.1
Sequelize Version: 5.22.4

arnaud · June 25, 2021, 5:26pm

Hi @Gireg,

Indeed our standard session token are not revoked.
But those session tokens have a very short lifetime (1 hour maximum if I am not mistaken), which mitigate this kind of attacks.

We did a security audit of our platform in April 2021 and have been certified by an external security company. Don’t hesitate to reach our sales team if you want to know more about that.

I hope it helps.

Topic		Replies	Views
Recurrent error jwt expired Help me!	4	44	October 7, 2024
Forest Admin keeps asking me to repeat my password to unlock my data but says it is wrong, even after resetting it Help me!	6	787	October 21, 2020
Hung on 'Unlocking your data Forest Admin is validating your identity on your environment.' Help me!	13	659	June 22, 2021
FA keeps asking me to repeat my password to "Unlock my Data" Help me!	2	380	October 4, 2021
Authentication issue after Forest Admin agent upgrade Help me!	7	50	December 5, 2024

Jwt revocation question

Related topics