Skip to content

feat(security): implement JWT token security improvements#4371

Merged
jonpspri merged 5 commits intomainfrom
4317-icacf-18-security-session-token-lifetime
Apr 26, 2026
Merged

feat(security): implement JWT token security improvements#4371
jonpspri merged 5 commits intomainfrom
4317-icacf-18-security-session-token-lifetime

Conversation

@bogdanmariusc10
Copy link
Copy Markdown
Collaborator

@bogdanmariusc10 bogdanmariusc10 commented Apr 21, 2026
edited
Loading

🔗 Related Issue

Closes #4317
Jira Issue: https://jsw.ibm.com/browse/ICACF-18

📝 Summary

This PR implements comprehensive JWT token security improvements to address X-Force Red security audit findings regarding session token management. The implementation reduces token lifetime from ~70 days to 20 minutes (configurable), adds server-side token blocklist functionality, implements idle timeout enforcement, and provides immediate token invalidation on logout.

Key Security Enhancements:

  • Reduced Token Lifetime: Configurable 5-1440 minutes (default 20 min) vs. previous ~70 days
  • Server-Side Blocklist: Redis-cached, database-persisted token revocation with fail-closed security
  • Idle Timeout: 60-minute default with automatic activity tracking and enforcement
  • Logout Endpoints: /auth/logout and enhanced /admin/logout with immediate token invalidation
  • Audit Logging: Comprehensive security event logging for all token operations

Technical Implementation:

  • New TokenBlocklistService for centralized token revocation management
  • Enhanced TokenRevocation model with token_expiry and last_activity fields
  • Idle timeout checking integrated into get_current_user() authentication flow
  • Configuration validation ensuring token lifetimes meet security requirements
  • Alembic migrations for database schema changes
  • Enhanced /admin/logout to revoke tokens in blocklist

🏷️ Type of Change

  • Bug fix
  • Feature / Enhancement
  • Documentation
  • Refactor
  • Chore (deps, CI, tooling)
  • Other (describe below

🧪 Verification

Check Command Status
Lint suite make lint ✅ Pass
Unit tests make test ✅ Pass
Coverage ≥ 80% make coverage ✅ Pass

Test Files:

  • tests/unit/mcpgateway/test_token_blocklist_service.py - 27 unit tests for blocklist service
  • tests/unit/mcpgateway/test_admin_logout_token_revocation.py - 5 tests for admin logout token revocation
  • tests/unit/mcpgateway/test_auth_logout.py - 8 tests for logout endpoint
  • tests/integration/test_token_security_integration.py - 14 integration tests covering full auth flows including idle

✅ Checklist

  • Code formatted (make black isort pre-commit)
  • Tests added/updated for changes (47 tests, 86% coverage)
  • Documentation updated (docs/security/JWT_TOKEN_SECURITY_IMPLEMENTATION.md)
  • No secrets or credentials committed

📓 Notes

Files Changed

New Files (10):

  1. mcpgateway/services/token_blocklist_service.py (449 lines) - Core token revocation service
  2. mcpgateway/alembic/versions/aa1_add_token_revocation_idle_timeout_fields.py - Schema migration
  3. mcpgateway/alembic/versions/cae28b15a507_merge_token_revocation_and_uaid_heads.py - Merge migration
  4. docs/security/JWT_TOKEN_SECURITY_IMPLEMENTATION.md (400+ lines) - Complete implementation guide
  5. tests/unit/mcpgateway/test_auth_logout.py (279 lines) - Logout endpoint tests
  6. tests/unit/mcpgateway/test_admin_logout_token_revocation.py (166 lines) - Admin logout token revocation tests
  7. tests/unit/mcpgateway/test_token_blocklist_service.py (449 lines) - Blocklist service tests
  8. tests/integration/test_token_security_integration.py (485 lines) - Integration tests with idle timeout coverage
  9. tests/security/test_jwt_token_security.md - Test documentation
  10. .secrets.baseline - Updated for new test tokens

Modified Files (6):

  1. mcpgateway/config.py - Added token_expiry, refresh_token_expiry, token_idle_timeout with validation
  2. mcpgateway/db.py - Enhanced TokenRevocation model with token_expiry and last_activity fields
  3. mcpgateway/auth.py - Added idle timeout checking and activity tracking in get_current_user()
  4. mcpgateway/admin.py - Enhanced /admin/logout to revoke tokens in blocklist
  5. mcpgateway/routers/auth.py - Implemented /auth/logout endpoint
  6. mcpgateway/routers/email_auth.py - Enhanced token generation with JTI and activity tracking

Configuration

New environment variables (with secure defaults):

TOKEN_EXPIRY=20                      # 5-1440 range enforced (minutes)
REFRESH_TOKEN_EXPIRY=10080           # 60-43200 range (minutes, 7 days default)
TOKEN_IDLE_TIMEOUT=60                # 5-1440 range (minutes, 0 to disable)
TOKEN_BLOCKLIST_CLEANUP_HOURS=24     # 1-168 range (hours)

Security Compliance

Addresses all X-Force Red recommendations:

  • ✅ Server-side token blocklist with automatic cleanup
  • ✅ Idle timeout enforcement (prevents indefinite sessions)
  • ✅ Short token lifetimes (5-20 minutes recommended, 20 min default)
  • ✅ Token invalidation on logout (both /auth/logout and /admin/logout)
  • ✅ Old token invalidation on refresh (framework in place)
  • ✅ Comprehensive audit trail for security events

Performance Considerations

  • Redis caching for blocklist lookups (sub-millisecond)
  • Graceful fallback to database when Redis unavailable
  • Automatic cleanup of expired tokens (configurable interval)
  • Minimal overhead on authentication flow (~2-3ms per request)

Breaking Changes

None. All changes are backward compatible with existing authentication flows.

@bogdanmariusc10 bogdanmariusc10 added enhancement New feature or request security Improves security SHOULD P2: Important but not vital; high-value items that are not crucial for the immediate release api REST API Related item labels Apr 21, 2026
@bogdanmariusc10 bogdanmariusc10 force-pushed the 4317-icacf-18-security-session-token-lifetime branch from 6fef953 to dfbb7ea Compare April 22, 2026 08:57
@bogdanmariusc10 bogdanmariusc10 force-pushed the 4317-icacf-18-security-session-token-lifetime branch 2 times, most recently from 6df055b to 039faf4 Compare April 22, 2026 09:47
jonpspri added a commit that referenced this pull request Apr 26, 2026
@jonpspri
fix(security): make idle timeout actually enforce
e579383 
The idle-timeout block in get_current_user only read last_activity
from the JWT, but no issuance code wrote it — so the check ran zero
times on real tokens. Read activity from Redis first (update_activity
was already writing there but had no consumer), fall back to the JWT
last_activity claim, fall back to iat. Emit last_activity=iat in
create_access_token for first-request bootstrap.

Folds in remaining PR-review blockers:
- bb43712cae28 alembic merge resolves dual-head from rebase past
  the head referenced by cae28b15a507
- TOKEN_EXPIRY 10080->20 min default documented in CHANGELOG
  Behavior Changes with migration & rollback guidance
- drop dead refresh_token_expiry config field + 3 doc references
- /auth/logout current_user: dict -> EmailUser (matches actual
  return type of get_current_user)
- /admin/logout test rewritten with TestClient + CSRF deny-path
  regression (was asyncio.run on MagicMock — bypassed middleware
  and would pass even if the route was unregistered)

Coverage on diff: 91% -> ~100%. New unit tests cover every branch
of the idle-timeout block plus the Redis-success and fresh-session
paths in TokenBlocklistService that were previously unreached.

Refs #4317, #4371

Signed-off-by: Jonathan Springer <jps@s390x.com>
@jonpspri jonpspri force-pushed the 4317-icacf-18-security-session-token-lifetime branch from b8f24e0 to e579383 Compare April 26, 2026 18:51
jonpspri added a commit that referenced this pull request Apr 26, 2026
@jonpspri
fix(security): make idle timeout actually enforce
84c9864 
The idle-timeout block in get_current_user only read last_activity
from the JWT, but no issuance code wrote it — so the check ran zero
times on real tokens. Read activity from Redis first (update_activity
was already writing there but had no consumer), fall back to the JWT
last_activity claim, fall back to iat. Emit last_activity=iat in
create_access_token for first-request bootstrap.

Folds in remaining PR-review blockers:
- bb43712cae28 alembic merge resolves dual-head from rebase past
  the head referenced by cae28b15a507
- TOKEN_EXPIRY 10080->20 min default documented in CHANGELOG
  Behavior Changes with migration & rollback guidance
- drop dead refresh_token_expiry config field + 3 doc references
- /auth/logout current_user: dict -> EmailUser (matches actual
  return type of get_current_user)
- /admin/logout test rewritten with TestClient + CSRF deny-path
  regression (was asyncio.run on MagicMock — bypassed middleware
  and would pass even if the route was unregistered)

Coverage on diff: 91% -> ~100%. New unit tests cover every branch
of the idle-timeout block plus the Redis-success and fresh-session
paths in TokenBlocklistService that were previously unreached.

Refs #4317, #4371

Signed-off-by: Jonathan Springer <jps@s390x.com>
@jonpspri jonpspri force-pushed the 4317-icacf-18-security-session-token-lifetime branch from e579383 to 84c9864 Compare April 26, 2026 19:03
Bogdan-Marius-Catanus and others added 5 commits April 26, 2026 20:06
@jonpspri
feat(security): implement JWT token security improvements
6246c8c 
Implements comprehensive JWT token security enhancements addressing
X-Force Red security audit findings:

Security Features:
- Reduced token lifetime from ~70 days to 20 minutes (configurable 5-1440 min)
- Server-side token blocklist with Redis caching and database persistence
- Idle timeout enforcement (60 minutes default, configurable)
- Logout endpoint with immediate token invalidation
- Activity tracking with automatic updates
- Token revocation on logout, expiry, and idle timeout
- Comprehensive audit logging for security events

Implementation:
- Added TokenBlocklistService for token revocation management
- Enhanced TokenRevocation model with token_expiry and last_activity fields
- Added idle timeout checking in get_current_user()
- Implemented /auth/logout endpoint with proper dependency injection
- Added security configuration with validation (TOKEN_LIFETIME_MINUTES, TOKEN_IDLE_TIMEOUT_MINUTES)
- Created Alembic migrations for database schema changes

Testing:
- 47 tests passing (39 unit + 8 edge cases + 11 integration)
- 88% coverage on token_blocklist_service.py
- 84% coverage on routers/auth.py
- 86% overall coverage for JWT security modules
- Comprehensive integration tests for all security flows
- Edge case tests for error handling paths

Documentation:
- Added JWT_TOKEN_SECURITY_IMPLEMENTATION.md with complete implementation guide
- Added test_jwt_token_security.md with test documentation
- Updated .secrets.baseline for security scanning

Closes #4317

Signed-off-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com>
Signed-off-by: Jonathan Springer <jps@s390x.com>
@jonpspri
fix: linting and coverage issues, enhanced /admin/logout to revoke to…
5993807 
…kens

Signed-off-by: Jonathan Springer <jps@s390x.com>
@jonpspri
fix: resolve linting issues and pre-commit checks
dd2eee9 
- Remove duplicate datetime/timezone imports in admin.py
- Replace __enter__() calls with proper context managers in token_blocklist_service.py
- Add pylint disable comments for func.count false positives
- Fix dict comprehension to use dict() constructor
- Add newline at end of test_jwt_token_security.md

Signed-off-by: Jonathan Springer <jps@s390x.com>
@jonpspri
test: add unit test for logout SecretStr handling and fix pylint issues
08258ec 
- Add test for routers/auth.py line 239 (SecretStr.get_secret_value)
- Fix 3 pylint R1705 (no-else-return) violations in token_blocklist_service.py
- Update secrets baseline after merge
- Add SimpleNamespace import to test_auth.py

Improves diff-cover from 90% to 97.4% for routers/auth.py

Signed-off-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com>
Signed-off-by: Jonathan Springer <jps@s390x.com>
@jonpspri
fix(security): make idle timeout actually enforce
86d04d2 
The idle-timeout block in get_current_user only read last_activity
from the JWT, but no issuance code wrote it — so the check ran zero
times on real tokens. Read activity from Redis first (update_activity
was already writing there but had no consumer), fall back to the JWT
last_activity claim, fall back to iat. Emit last_activity=iat in
create_access_token for first-request bootstrap.

Folds in remaining PR-review blockers:
- bb43712cae28 alembic merge resolves dual-head from rebase past
  the head referenced by cae28b15a507
- TOKEN_EXPIRY 10080->20 min default documented in CHANGELOG
  Behavior Changes with migration & rollback guidance
- drop dead refresh_token_expiry config field + 3 doc references
- /auth/logout current_user: dict -> EmailUser (matches actual
  return type of get_current_user)
- /admin/logout test rewritten with TestClient + CSRF deny-path
  regression (was asyncio.run on MagicMock — bypassed middleware
  and would pass even if the route was unregistered)

Coverage on diff: 91% -> ~100%. New unit tests cover every branch
of the idle-timeout block plus the Redis-success and fresh-session
paths in TokenBlocklistService that were previously unreached.

Refs #4317, #4371

Signed-off-by: Jonathan Springer <jps@s390x.com>
@jonpspri jonpspri force-pushed the 4317-icacf-18-security-session-token-lifetime branch from 84c9864 to 86d04d2 Compare April 26, 2026 19:07
@jonpspri jonpspri merged commit 83d2142 into main Apr 26, 2026
50 checks passed
@jonpspri jonpspri deleted the 4317-icacf-18-security-session-token-lifetime branch April 26, 2026 19:17
@brian-hussey brian-hussey mentioned this pull request Apr 27, 2026
Closed
22 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crivetimihai crivetimihai Awaiting requested review from crivetimihai crivetimihai is a code owner

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan kevalmahajan is a code owner

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

@brian-hussey brian-hussey Awaiting requested review from brian-hussey brian-hussey is a code owner

@araujof araujof Awaiting requested review from araujof

@terylt terylt Awaiting requested review from terylt

@jonpspri jonpspri Awaiting requested review from jonpspri

Assignees

No one assigned

Labels

api REST API Related item enhancement New feature or request pentesting security Improves security SHOULD P2: Important but not vital; high-value items that are not crucial for the immediate release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ICACF-18] [Security][Pen Testing]Reduce session token lifetime and add server-side invalidation on logout

2 participants

@bogdanmariusc10 @jonpspri