User Logs Out Within Access Token Expiration Time, Old Access Token Still Used in Request Header Causes Background Interface to Remain Accessible

[113223]

Self Checks

• This is only for bug report, if you would like to ask a question, please head to Discussions.
• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
• [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:）
• Please do not modify this template :) and fill in all the required fields.

Dify version

0.11

Cloud or Self Hosted

Self Hosted (Source)

Steps to reproduce

When the user exits within the expiration time of access_token, but the old access_token is still used in the request header, the background interface can still access the problem

1. first，login with account
2. second， get Authorization from WebUI
3. third，on WebUI click logout button
4. use postman ，the background interface can still access

✔️ Expected Behavior

When the user exits within the expiration time of access_token, but the old access_token is still used in the request header, the background interface can not access

❌ Actual Behavior

No response

[dosubot]

Hey @113223! I'm here to help you with any bugs, questions, or contributions you have for the Dify project. Let me know how I can assist you!

The issue you're experiencing seems to be related to the access token not being invalidated immediately upon logout. In the Dify codebase, the logout functionality involves revoking the access token by deleting it from the Redis store using the revoke_token method in the TokenManager class. This should prevent further access with the token ^[1].

Here are a few things you might want to check or try:

1. Ensure Token Revocation: Verify that the revoke_token method is being called correctly when the logout action is triggered. This method should delete the token from Redis, effectively invalidating it.

2. Redis Configuration: Check your Redis configuration to ensure that the token is being stored and deleted as expected. Any issues with Redis connectivity or configuration might affect token revocation.

3. Frontend Token Removal: Make sure that the frontend is correctly removing the access token from client-side storage upon logout. The removeAccessToken function should handle this by deleting the token from localStorage ^[2].

4. API Endpoint: Confirm that the API endpoint responsible for handling logout is correctly implemented to interact with the token revocation process.

If these steps do not resolve the issue, there might be a need to further investigate the specific implementation details or any potential bugs in the codebase related to token management.

To continue talking to Dosu, mention @dosu.

[laipz8200]

This is how JWT works: it will expire quickly after you log out. More importantly, make sure to keep your token safe and avoid any leaks.

[113223]

rks: it will expire quickly after you log ou

in fact ， it will not expire quickly after you log out. when i use AccountService.logout(account=account) function，clear the refresh_token, but access_token is not expire quickly ,the old access_token is still used in the request header, the background interface can still access.

[laipz8200]

This is as expected. Please confirm that you are familiar with the JWT authorization.

If you have stricter security requirements, you can shorten the validity period of the JWT by adjusting the ACCESS_TOKEN_EXPIRE_MINUTES. However, it will still be usable until it expires.

[113223]

This is as expected. Please confirm that you are familiar with the JWT authorization.

If you have stricter security requirements, you can shorten the validity period of the JWT by adjusting the ACCESS_TOKEN_EXPIRE_MINUTES. However, it will still be usable until it expires.

get it ,thank you