Revoke refresh token on logout for enhanced session security

2025-07-03 03:21:53 +05:30
parent 31f13b980b
commit 9cb9c67b09
2 changed files with 24 additions and 13 deletions
@@ -27,6 +27,9 @@ public class AuthController {
        this.userRepository = userRepository;
    }

+    @Autowired
+    private RefreshTokenService refreshTokenService;
+
    @PostMapping("/login")
    public ResponseEntity<?> login(@RequestBody LoginRequest request, HttpServletRequest servletRequest) {
        String ip = servletRequest.getRemoteAddr();
@@ -67,21 +70,24 @@ public class AuthController {
    @Autowired
    private TokenBlacklistService tokenBlacklistService;

-    @PostMapping("/logout")
-    public ResponseEntity<?> logout(HttpServletRequest request) {
+@PostMapping("/logout")
+public ResponseEntity<?> logout(HttpServletRequest request) {
    String authHeader = request.getHeader("Authorization");
    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
        return ResponseEntity.badRequest().body("Missing or invalid Authorization header");
    }

    String token = authHeader.substring(7);
+
+    // Blacklist access token
    tokenBlacklistService.blacklistToken(token);

-        return ResponseEntity.ok("Logged out successfully");
-    }
+    // Extract user from token and delete their refresh token
+    String email = jwtService.extractUsername(token);
+    userRepository.findByEmail(email).ifPresent(refreshTokenService::deleteByUser);

-    @Autowired
-    private RefreshTokenService refreshTokenService;
+    return ResponseEntity.ok("Logged out successfully");
+}

    @PostMapping("/refresh")
    public ResponseEntity<?> refresh(@RequestBody TokenRefreshRequest request) {
@@ -39,4 +39,9 @@ public class RefreshTokenService {
    public boolean isExpired(RefreshToken token) {
        return token.getExpiryDate().isBefore(Instant.now());
    }
+
+    public void deleteByUser(User user) {
+        refreshTokenRepo.deleteByUser(user);
+    }
+
 }