Missing revoke method on JWT

• Rule ID: javascript_express_jwt_not_revoked
• Languages: javascript
• Source: jwt_not_revoked.yml

Description

Failing to implement a revoke method for JSON Web Tokens (JWTs) can lead to security vulnerabilities, especially when the tokens contain sensitive information. In order to maintain the integrity and confidentiality of any data contained within JWTs, it is best practice caching policy to always revoke them.

Remediations

• Do ensure JWTs are short-lived by implementing a method to revoke them. This reduces the risk of unauthorized access to sensitive information.

  expressjwt({
    ...
    isRevoked: this.customRevokeCall(),
    ...
  })

References

• ExpressJWT documentation on revoking tokens

Associated CWE

• CWE-693: Protection Mechanism Failure

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_jwt_not_revoked

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_jwt_not_revoked