Skip to content

fix: concurrent session logout not invalidating JWT on first system#412

Merged
snehar-nd merged 1 commit into
release-3.8.1from
fix/concurrent-session-jwt-denylist
May 14, 2026
Merged

fix: concurrent session logout not invalidating JWT on first system#412
snehar-nd merged 1 commit into
release-3.8.1from
fix/concurrent-session-jwt-denylist

Conversation

@snehar-nd
Copy link
Copy Markdown
Contributor

@snehar-nd snehar-nd commented May 14, 2026

📋 Description

JIRA ID:

AMM-2306

✅ Type of Change

  • 🐞 Bug fix (non-breaking change which resolves an issue)

ℹ️ Additional Information

logOutUserFromConcurrentSession only cleaned up old-style Redis session keys but never added the displaced user's JWT to the denylist. Because JwtUserIdValidationFilter validates solely via JWT signature and the denylist, System 1's token remained valid and all APIs returned 200 after System 2 forced a concurrent login.

The root serialization bug: redisTemplate value serializer is Jackson2JsonRedisSerializer, so storing a plain String JTI caused a deserialization failure on retrieval. Fixed by using the existing StringRedisTemplate bean for the jti: key operations.

Fix:

  • Store username->JTI mapping via StringRedisTemplate at login (both userAuthenticate and superUserAuthenticate)
  • On concurrent-session logout, retrieve the JTI, add it to the denylist, evict user_ from User cache, and clean up jti: key
  • Add getAccessTokenExpiration() to JwtUtil to supply the TTL

@snehar-nd @claude
fix: concurrent session logout not invalidating JWT on first system
80fa0e5 
logOutUserFromConcurrentSession only cleaned up old-style Redis session
keys but never added the displaced user's JWT to the denylist. Because
JwtUserIdValidationFilter validates solely via JWT signature and the
denylist, System 1's token remained valid and all APIs returned 200
after System 2 forced a concurrent login.

The root serialization bug: redisTemplate value serializer is
Jackson2JsonRedisSerializer<User>, so storing a plain String JTI
caused a deserialization failure on retrieval. Fixed by using the
existing StringRedisTemplate bean for the jti: key operations.

Fix:
- Store username->JTI mapping via StringRedisTemplate at login
  (both userAuthenticate and superUserAuthenticate)
- On concurrent-session logout, retrieve the JTI, add it to the
  denylist, evict user_<id> from User cache, and clean up jti: key
- Add getAccessTokenExpiration() to JwtUtil to supply the TTL

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 14, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4b54d7be-b8bb-48bb-8d88-662dbc06c2a5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/concurrent-session-jwt-denylist

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 14, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@snehar-nd snehar-nd merged commit c82c9ad into release-3.8.1 May 14, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vanitha1822 vanitha1822 vanitha1822 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@snehar-nd @vanitha1822