Wrong behaviour with JWT and auth.user after DB reset

Hello !

I found a strange behavior about JWT and auth.user using the default auth middleware.

I start my server with a fresh database and two users seeded, A and B.

I then login with B user and get a JWT token that I use to access a protected route.

The auth.user is the correct one: B.

I then reset my migrations and reseed the DB, but this time I removed B from the seeds.

I then try to access the protected route using the SAME token that was generated in the first server / migration / seed run.

To my surprise, it pass the auth check and return A as the authenticated user !!!

I am not a security guru but I feel there is something wrong with this behaviour.

Of course I tested also to simply remove the second user while server is still running, but then the behaviour is correct: E_INVALID_JWT_TOKEN.

My guess is that auth is only based on the serial id of the user in the DB to match users and no other things like email and so.

Anybody with more Insights ?

Best,

1 Like

I do not see anything strange in this situation because:

  • Most likely that access token did not expire yet
  • You only reset the migrations: this means you are still using the same private key and the hashing algorithm to sign the tokens.
3 Likes

This quess is correct :slight_smile:
I also don’t find it as a issue, since your user IDs should not change in production database :slight_smile:

2 Likes

Yeah, aggeed it’s an edge case.

The thing is that it let impersonate another user with the same token, because after migration reset the ids are reset.

Nevermind, the best practice here is to regenerate the secret with the migration reset I guess.

thx!

1 Like