Insufficient token revocation in express-jwt
Description
No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using a function as the `isRevoked` option.
Examples
Insecure Code
javascript
const JWT = require('express-jwt');
const auth = JWT({ secret: 'shhhhh' });Secure Code
javascript
const JWT = require('express-jwt');
const auth = JWT({ secret: 'shhhhh', isRevoked: async (req, payload, done) => { /* custom revocation logic */ } });Remediation
Add an `isRevoked` function to the `express-jwt` options to properly revoke tokens.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0406 |
| Category | Auth |
| Severity | HIGH |
| CWE | CWE-522 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | jwt, token revocation |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |