Project

General

Profile

Actions
Copy link

Bug #17

open

JWT Tokens Remain Valid After Password Change

Added by Vivek Kumar about 1 month ago. Updated about 1 month ago.

Status:
Resolved
Priority:
High
Assignee:
-
Start date:
03/16/2026
Due date:
% Done:

100%

Estimated time:
Spent time:
4:00 h

Description

After changing the account password using the /api/admin/password endpoint, previously issued JWT tokens remain valid and can still be used to access protected API endpoints.
This behavior allows any attacker who has obtained a valid JWT token to continue accessing the account even after the legitimate user changes their password.
For sensitive accounts such as Admin / Super Admin, this poses a significant security risk because password change does not effectively terminate existing authenticated sessions.

Steps to Reproduce

  1. Login as an admin user and obtain a JWT token.
  2. Send a password change request: POST /api/admin/password
  3. After the password is successfully changed, continue using the same JWT token to access protected API endpoints.
  4. Observe that the requests are still accepted.

Actual Result
Previously issued JWT tokens remain valid even after the password is changed.

Expected Result
All previously issued JWT tokens should be invalidated after a password change to ensure that any potentially compromised tokens cannot continue to access the account.

Security Impact
If an attacker obtains a valid JWT token through:
XSS attacks
Token leakage
Browser storage access
Network interception

they will retain access to the account even after the user changes their password.

The request has been added to the Postman team workspace for easier replay and API verification.

Files

POST password change api.txt (1.07 KB) POST password change api.txt Raw Post request for password change. Vivek Kumar, 03/16/2026 10:27 AM
Actions
Copy link
 #1

Updated by Adhi Narayanan about 1 month ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

We have Done like
Access token expires → refresh silently → user stays logged in

🎯 This EXACTLY matches your requirement

✔ Auto refresh when possible
✔ Auto logout when refresh fails

🧠 Final Architecture
🔐 Tokens

Access Token → short-lived (2 min) // for deevelopment we have made it to 2 min

Refresh Token → long-lived (7 days, stored in httpOnly cookie)

🔄 Flow (What happens internally)

  • User logs in → gets access token + refresh cookie
  • API request → uses access token
  • Access token expires → backend sends 401
  • Frontend intercepts → calls /refresh-token
  • New access token received
  • Original request retried automatically
  • User never notices anything

🚪 What happens when user logs out?

👉 When user clicks Logout, you must:

✅ 1. Delete refresh token from DB
✅ 2. Clear refresh token cookie
✅ 3. Remove access token from frontend (memory)

Actions
Copy link
 #2

Updated by Vivek Kumar about 1 month ago

  • Status changed from Resolved to In Progress
Actions
Copy link
 #3

Updated by Adhi Narayanan about 1 month ago

  • Status changed from In Progress to Resolved
Actions
Copy link

Also available in: Atom PDF