Logout with active_sessions feature does not invalidate JWT

[Samuelodan]

Hi there,
I'm trying to implement logout in an app, but the test indicate that the JWT still works after logout.

here's my test

    context 'Without Global logout' do
      it "invalidates the JWT" do
        account = create(:user)
        # login user
        post "/v1/auth/login", as: :json, params: {
          email: account.email,
          password: account.password
        }
        expect(response).to have_http_status(200)

        bearer_token = response.headers["Authorization"]

        # logout
        post "/v1/auth/logout", as: :json

        new_password = "newpassword"

        # attempt to change user password with same JWT (bearer_token)
        post "/v1/auth/change-password", as: :json, params: {
          password: account.password,
          new_password: new_password,
          password_confirmation: new_password
        }, headers: { Authorization: bearer_token }
        expect(response).to have_http_status(401)
        error_message = response.parsed_body.fetch("error")
        expect(error_message).to eq "Please login to continue"
      end
    end

The change password response comes back successful instead of failing.

I've added the feature to the config file. Is there anything I'm doing wrong?

[janko]

Are you calling rodauth.check_active_session in the route block? That's what actually checks whether the current session is active and doesn't let the request go through otherwise.

route do |r|
  rodauth(:v1).check_active_session
  r.rodauth(:v1)
end

I just added a test to the official demo app, and it works just fine, logout does invalidate the previous token.

[Samuelodan]

Oh, interesting, I didn't know to call check_active_session in there. Thanks. I was starting to think I should try including an Authorization in the logout request.
How does the rodauth know the current session tho (especially with JWT)? I'm curious.

Edit: I just looked at your test and saw you added the header to the request. That makes sense to me now.

[Samuelodan]

One more question. If I wanted to logout globally, what value would I pass to the global_logout param? I couldn't find that info in Rodauth's Docs.

[janko]

You can provide any value for global_logout, Rodauth just checks that the param is present.

[Samuelodan]

I see. Thank you.