Jwt revocation question

Hello,
I had a security expert scan my servers and they warned me about a potential medium risk security issue about the revocation of the session token.

So the code uses

app.use(
  jwt({
    secret: process.env.FOREST_AUTH_SECRET,
    algorithms: ["HS256"],
    credentialsRequired: false,
  })
);

But this JWT is not revoked anywhere.

The concern is about this scenario:
As a Forest-Admin authorized user, I log in to my Forest-Admin account and open one of my projects.
If I click disconnect, then leave the computer open, is a hacker able to replay my JWT to perform actions on the database ?

  • forest-express-sequelize: 7.7.0
  • Express Version: ~4.17.1
  • Sequelize Version: 5.22.4

Hi @Gireg,

Indeed our standard session token are not revoked.
But those session tokens have a very short lifetime (1 hour maximum if I am not mistaken), which mitigate this kind of attacks.

We did a security audit of our platform in April 2021 and have been certified by an external security company. Don’t hesitate to reach our sales team if you want to know more about that.

I hope it helps.

2 Likes