notkshitij/SkycrateBackend
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Revoke refresh token on logout for enhanced session security

Browse Source
This commit is contained in:
K
2025-07-03 03:21:53 +05:30
parent 31f13b980b
commit 9cb9c67b09
2 changed files with 24 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/main/java/com/skycrate/backend/skycrateBackend/controller/AuthController.java
+19 -13
View File
@@ -27,6 +27,9 @@ public class AuthController {
this.userRepository = userRepository; this.userRepository = userRepository;
} }
@Autowired
private RefreshTokenService refreshTokenService;
@PostMapping("/login") @PostMapping("/login")
public ResponseEntity<?> login(@RequestBody LoginRequest request, HttpServletRequest servletRequest) { public ResponseEntity<?> login(@RequestBody LoginRequest request, HttpServletRequest servletRequest) {
String ip = servletRequest.getRemoteAddr(); String ip = servletRequest.getRemoteAddr();
@@ -67,21 +70,24 @@ public class AuthController {
@Autowired @Autowired
private TokenBlacklistService tokenBlacklistService; private TokenBlacklistService tokenBlacklistService;
@PostMapping("/logout") @PostMapping("/logout")
public ResponseEntity<?> logout(HttpServletRequest request) { public ResponseEntity<?> logout(HttpServletRequest request) {
String authHeader = request.getHeader("Authorization"); String authHeader = request.getHeader("Authorization");
if (authHeader == null || !authHeader.startsWith("Bearer ")) { if (authHeader == null || !authHeader.startsWith("Bearer ")) {
return ResponseEntity.badRequest().body("Missing or invalid Authorization header"); return ResponseEntity.badRequest().body("Missing or invalid Authorization header");
}
String token = authHeader.substring(7);
tokenBlacklistService.blacklistToken(token);
return ResponseEntity.ok("Logged out successfully");
} }
@Autowired String token = authHeader.substring(7);
private RefreshTokenService refreshTokenService;
// Blacklist access token
tokenBlacklistService.blacklistToken(token);
// Extract user from token and delete their refresh token
String email = jwtService.extractUsername(token);
userRepository.findByEmail(email).ifPresent(refreshTokenService::deleteByUser);
return ResponseEntity.ok("Logged out successfully");
}
@PostMapping("/refresh") @PostMapping("/refresh")
public ResponseEntity<?> refresh(@RequestBody TokenRefreshRequest request) { public ResponseEntity<?> refresh(@RequestBody TokenRefreshRequest request) {
src/main/java/com/skycrate/backend/skycrateBackend/services/RefreshTokenService.java
+5
View File
@@ -39,4 +39,9 @@ public class RefreshTokenService {
public boolean isExpired(RefreshToken token) { public boolean isExpired(RefreshToken token) {
return token.getExpiryDate().isBefore(Instant.now()); return token.getExpiryDate().isBefore(Instant.now());
} }
public void deleteByUser(User user) {
refreshTokenRepo.deleteByUser(user);
}
} }