Skip to content

Fix logout auth and token revocation #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sip-21 wants to merge 51 commits into from
Closed

Fix logout auth and token revocation #4

sip-21 wants to merge 51 commits into from

Conversation

@sip-21
Copy link
Owner

@sip-21 sip-21 commented Nov 25, 2025
edited
Loading

Configurable access token expiration with optimized test speed

Added command-line configuration for access token expiration to enable
faster E2E tests while maintaining production defaults.

Server Changes (Kotlin)

TokenService.kt

  • Made accessTokenExpirationSeconds configurable via application config
  • Default: 60 seconds (production)
  • Reads from jwt.accessTokenExpirationSeconds property

Ambrosia.kt

  • Added --jwt-access-token-expiration CLI option (default: "60")
  • Passes option value to application config

Authorize.kt

  • Updated /login and /refresh cookie expiration to use
    tokenService.accessTokenExpirationSeconds instead of hardcoded 60s
  • Wrapped /logout endpoint in authenticate("auth-jwt") for proper
    authentication (security improvement)

Test Changes (Python)

test_server.py

  • Configured E2E tests to use 5-second token expiration via
    --jwt-access-token-expiration 5 for faster test runs
  • Added command logging for troubleshooting

test_auth_e2e.py

  • Renamed test_access_token_expires_after_one_minute to test_access_token_expiration_and_refresh updated the test to wait 8 seconds
    instead of 65 seconds
  • Removed manual cookie workarounds (httpx handles automatically)
  • Updated test_logout_revokes_tokens to expect proper authentication

test_routing_e2e.py

  • Added test_logout_revokes_tokens to verify server-side token
    revocation (70 lines)

Results

  • Test suite runs in ~15 seconds (was ~80 seconds) - 5.3× faster
  • Production behavior unchanged (60-second default)
  • Improved security: logout now requires authentication
  • Cleaner test code: removed 44 lines of manual cookie handling

Configuration

Production (default):
--jwt-access-token-expiration 60

Testing (E2E):
--jwt-access-token-expiration 5

@sip-21 sip-21 force-pushed the add-dynamic-secure-cookie-helper-for-auth-endpoints branch from c597ba9 to 6135ede Compare December 2, 2025 20:27
@sip-21 sip-21 force-pushed the fix-logout-auth-and-token-revocation branch from f3118cd to 4eb0bd4 Compare December 2, 2025 20:55
@sip-21 sip-21 force-pushed the add-dynamic-secure-cookie-helper-for-auth-endpoints branch from 6135ede to e96a468 Compare December 3, 2025 05:32
@sip-21 sip-21 force-pushed the fix-logout-auth-and-token-revocation branch from 8db6050 to da7ebfc Compare December 3, 2025 16:38
@sip-21
Copy link
Owner Author

sip-21 commented Dec 9, 2025

Postpone this for after the workshop presentation!

Sharmaz and others added 25 commits December 18, 2025 16:26
@Sharmaz
fix eslint config.
2da6e0c
@Sharmaz
fix eslint config.
2abe41c
@Sharmaz
fix dependencies vulnerabilities and lint erros at src level.
4d7dab3
@Sharmaz
fix i18n lint errors and improve it.
cbc41bc
@Sharmaz
add relative imports beyond @components.
5e2f83f
@Sharmaz
add relative imports in tests.
39b8fbf
@Sharmaz
add tests for SelectBusiness component.
4be034e
@Sharmaz
fix lint issues at onboarding locales, utils, and tests.
27a363a
@Sharmaz
fix linter errors and improve Onboarding components.
855644b
@Sharmaz
Merge branch 'development' into fix/onboarding
e77f9bd
@Sharmaz
Merge pull request olympus-btc#301 from Sharmaz/fix/onboarding
106deea 
Fix/onboarding
@Vidarte-Alberto
Solve lint problems in users, and add tests for users
1a7a9eb
@JordyPirata
refactor: update server tests workflow and add phoenixd installation …
bd3ca81 
…script
@JordyPirata
chore: update E2E tests trigger and enhance test logging in build con…
8fe6043 
…figuration
@JordyPirata
chore: add workflow_dispatch trigger to client unit tests and E2E tests
dc58926
@JordyPirata
chore: remove redundant RoutingTest and TestServer classes
45bf191
@JordyPirata
chore: rename workflow to 'Server Unit Tests' for clarity
5ad0c24
@JordyPirata
chore: remove verify.sh script as it is no longer needed
7d6237e
@JordyPirata
Merge pull request olympus-btc#305 from olympus-btc/feature/update-in…
b9c52cc 
…stall

Functional Refactoring and Installation Robustness
@Vidarte-Alberto
fix all comment resquested
63f9b74
@JordyPirata
chore: refactor installation scripts and enhance logging for Ambrosia…
4a51636 
… and Phoenixd
@JordyPirata
Merge pull request olympus-btc#306 from olympus-btc/feature/update-in…
3284667 
…stall

chore: refactor installation scripts
@Vidarte-Alberto
Merge pull request olympus-btc#302 from olympus-btc/fix/store-users
488d3be 
Solve lint problems in users, and add tests for users
@Vidarte-Alberto
Solve lint problems in products, and add tests for products
968f4c0
@Vidarte-Alberto
fix all comment resquested
cdd94a1
Vidarte-Alberto and others added 11 commits December 27, 2025 00:47
@Vidarte-Alberto
Increase product test coverage to 80%.
14555a9
@Sharmaz
Merge pull request olympus-btc#307 from Sharmaz/fix/store-settings
df332ba
@Vidarte-Alberto
Merge pull request olympus-btc#303 from olympus-btc/fix/store-products
792068e 
Solve lint problems in products, and add tests for products
@Vidarte-Alberto
Increase user test coverage to 100%.
80f9b9e
@Vidarte-Alberto
improve store cart coverage
be2cae2
@Vidarte-Alberto
solve import on cart test
c13f49c
@Vidarte-Alberto
Merge pull request olympus-btc#308 from olympus-btc/fix/store-users
0e43af1 
Increase user test coverage to 100%.
@JordyPirata
chore: enhance uninstall script by clarifying symlink removal messages
34de671
@Vidarte-Alberto
solve lint issues and implement more test to coverage 80%
c3294de
@JordyPirata
Merge pull request olympus-btc#309 from olympus-btc/feature/update-in…
efa4d87 
…stall

chore: enhance uninstall script by clarifying symlink removal messages
@Vidarte-Alberto
solve translate message
50e1fdf
@sip-21 sip-21 changed the base branch from add-dynamic-secure-cookie-helper-for-auth-endpoints to main December 30, 2025 23:32
@sip-21 sip-21 force-pushed the fix-logout-auth-and-token-revocation branch from 2c56aa3 to da7ebfc Compare December 31, 2025 00:30
@sip-21 sip-21 force-pushed the fix-logout-auth-and-token-revocation branch from da7ebfc to ac119a6 Compare December 31, 2025 01:57
@sip-21 sip-21 force-pushed the fix-logout-auth-and-token-revocation branch 2 times, most recently from e50f95a to 1b83112 Compare December 31, 2025 18:10
@sip-21 sip-21 force-pushed the fix-logout-auth-and-token-revocation branch from 1b83112 to 50dca0b Compare January 3, 2026 02:20
sip-21 added 2 commits January 2, 2026 23:38
@sip-21
Authenticate logout route; make token expiration configurable
f14cc1c 
- Add configurable access token expiration via `--jwt-access-token-expiration` CLI option (default: 60s)
- Wrap `/logout` in `authenticate("auth-jwt")` to require authentication and ensure token revocation
@sip-21
Update packages
f3abb3c
@sip-21 sip-21 force-pushed the fix-logout-auth-and-token-revocation branch from 50dca0b to f3abb3c Compare January 3, 2026 02:47
@sip-21
Copy link
Owner Author

sip-21 commented Jan 5, 2026

Done.

@sip-21 sip-21 closed this Jan 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@sip-21 @Sharmaz @Vidarte-Alberto @JordyPirata