Is it possible to revoke a token with Nancy.Authentication.Token?
I have looked at the source code and tests, but I don't see a way to revoke the token. I need to cover scenarios where I disable access for a user and need it immediately.
Given that the token is stored in keyChain.bin, it might be possible to deserialize the collections, deocline all the tokens, delete the desired one, serialize the collection again. This sounds more complicated. Are there any other methods I could use?
Update
I can potentially keep a separate list of user ids and the token that was issued and then map the token to the keyChain collection.
Update 2
After playing with the keyChain file, things get a little more confusing. After creating a new user, I issue a token:
var newServiceIdentity = siteSecurityManager.CreateServiceUser(user.UserId, user.Password)
.GetServiceIdentity();
string token = _tokenizer.Tokenize(newServiceIdentity, this.Context);
newServiceIdentity.Token = token;
siteSecurityManager.RegisterToken(newServiceIdentity);
var fileStore = new FileSystemTokenKeyStore(_rootPathProvider);
var allKeys = fileStore.Retrieve() as Dictionary<DateTime, byte[]>;
return new { Token = token };
By default, Nancy will store each token in a binary, so if your server has to be dropped, user sessions will survive. With another browser session, I connect to the credentials of the new users and access the site. When I add another user, I expect the allKeys score to increase to reflect my admin session as well as the new user connected to a different browser. I see the account of one and the key matches the admin token.
My login method does indeed issue a token for every user that connects with the correct credentials. This logic is as follows:
var userServiceIdentity = ServiceIdentityMapper.ValidateUser(user.UserId, user.Password);
if (userServiceIdentity == null)
{
return HttpStatusCode.Unauthorized;
}
else
{
string token = _tokenizer.Tokenize(userServiceIdentity, this.Context);
return new { Token = token };
}
I store the token and return it with every Ajax call. The implication here is that I have token entries, otherwise the authentication will fail. But if the keyChain.bin is not updated, then I cannot continue with the idea of registering the token and the user in a separate store and then clear that token to revoke access.
source to share
As Jeff, the author of the code, explained to me, keyChain.bin only stores the key that is used to generate the token. This means that the relevant information is only stored on the client, and a simple comparison of the client token is used to avoid asking for source code. Jeff full explanation here
A possible solution would be to keep a separate list of black listed tokens / users. This is perhaps best dictated by business practice. There are indeed times when you should block a user immediately. This can be achieved by issuing a purge for all tokens and force logins for all legitimate users. Small inconvenience in some scenarios and unacceptable for others.
source to share