Figure out a way to invalidate ONE user JWT/Session

[bbuechler]

Right now we can change the JWT secret, but that would invalidate ALL sessions.

It would be nice if we could kill ONE specific user session.

I'm not sure how we could pull it off, but it'd be a useful feature.

[bbuechler]

Assume a blacklist, stored in a reject variable looks like this:

{
  "blacklist": {
    "badguy1231": 1619104148, 
    "user112412": 1617642228
  }
}

We should periodically re-download the list from the external endpoint to keep it fresh.

If our decoded_JWT is this:

{
  "first_name": "Brian",
  "last_name": "Badguy",
  "urs-user-id": "badguy1231",
  "urs-access-token": "longtokenvalue",
  "urs-groups": [  ],
  "iat": 1619103148,
  "exp": 1619707948
}

When we validate the a token signature, we should also validate that our user's token has not been invalidated...

def is_jwt_blacklisted(decoded_JWT, reject):
   
   # Is "badguy1231" in blacklist? 
   if decoded_JWT["urs-user-id"] in reject["blacklist"]:

      # Shortcuts
      urs_user_id = decoded_JWT["urs-user-id"]
      jwt_mint_time = decoded_JWT["iat"]}
      user_blackist_time = reject["blacklist"][urs_user_id]
      log.debug(f"JWT was minted @  {jwt_mint_time}, Blacklist is for cookies BEFORE {user_blackist_time}")

      # Is blackist date "1619104148" >= JWT mint date "1619103148"
      if user_blackist_time >= jwt_mint_time:
         log.info(f"User {urs_user_id}'s JWT was minted before blacklist date and is INVALID")
         return True

      else: 
         # User appears in the blacklist, but this token is newer
         log.info(f"User {urs_user_id's JWT was minted AFTER blacklist date and is still VALID")

   # User is not in the blacklist
   log.info((f"User {urs_user_id} is NOT in the blacklist")
   return False

⬆️ complete untested code, but thats the logic