fix(backend): implemented jwt token invalidation so users cannot use it after expiry

7project/backend/app/api/auth.py

@@ -24,6 +24,23 @@ async def delete_me(
     await user_manager.delete(user)
 
 # Keep existing paths as-is under /auth/* and /users/*
+from fastapi import Request, Response
+from app.core.security import revoke_token, extract_bearer_token
+
+
+@router.post(
+    "/auth/jwt/logout",
+    status_code=status.HTTP_204_NO_CONTENT,
+    tags=["auth"],
+    summary="Log out and revoke current token",
+)
+async def custom_logout(request: Request) -> Response:
+    """Revoke the current bearer token so it cannot be used anymore."""
+    token = extract_bearer_token(request)
+    if token:
+        revoke_token(token)
+    return Response(status_code=status.HTTP_204_NO_CONTENT)
+
 router.include_router(
     fastapi_users.get_auth_router(auth_backend), prefix="/auth/jwt", tags=["auth"]
 )

7project/backend/app/app.py

@@ -16,6 +16,8 @@ from app.api.csas import router as csas_router
 from app.api.categories import router as categories_router
 from app.api.transactions import router as transactions_router
 from app.services.user_service import auth_backend, current_active_verified_user, fastapi_users, get_oauth_provider, UserManager, get_jwt_strategy
+from app.core.security import extract_bearer_token, is_token_revoked, decode_and_verify_jwt
+from app.services.user_service import SECRET
 
 
 from fastapi import FastAPI
@@ -49,6 +51,24 @@ fastApi.include_router(categories_router)
 fastApi.include_router(transactions_router)
 
 logging.basicConfig(filename='app.log', level=logging.INFO, format='%(asctime)s %(message)s')
+@fastApi.middleware("http")
+async def auth_guard(request: Request, call_next):
+    # Enforce revoked/expired JWTs are rejected globally
+    token = extract_bearer_token(request)
+    if token:
+        # Deny if token is revoked
+        if is_token_revoked(token):
+            from fastapi import Response, status as _status
+            return Response(status_code=_status.HTTP_401_UNAUTHORIZED)
+        # Deny if token is expired or invalid
+        try:
+            decode_and_verify_jwt(token, SECRET)
+        except Exception:
+            from fastapi import Response, status as _status
+            return Response(status_code=_status.HTTP_401_UNAUTHORIZED)
+    return await call_next(request)
+
+
 @fastApi.middleware("http")
 async def log_traffic(request: Request, call_next):
     start_time = datetime.now()

7project/backend/app/core/security.py

@@ -0,0 +1,45 @@
+from typing import Optional
+import re
+import jwt
+from fastapi import Request
+
+# Simple in-memory revocation store. In production, consider Redis or database.
+_REVOKED_TOKENS: set[str] = set()
+
+# Bearer token regex
+_BEARER_RE = re.compile(r"^[Bb]earer\s+(.+)$")
+
+
+def extract_bearer_token(request: Request) -> Optional[str]:
+    auth = request.headers.get("authorization")
+    if not auth:
+        return None
+    m = _BEARER_RE.match(auth)
+    if not m:
+        return None
+    return m.group(1).strip()
+
+
+def revoke_token(token: str) -> None:
+    if token:
+        _REVOKED_TOKENS.add(token)
+
+
+def is_token_revoked(token: str) -> bool:
+    return token in _REVOKED_TOKENS
+
+
+def decode_and_verify_jwt(token: str, secret: str) -> dict:
+    """
+    Decode the JWT using the shared secret, verifying expiration and signature.
+    Audience is not verified here to be compatible with fastapi-users default tokens.
+    Raises jwt.ExpiredSignatureError if expired.
+    Raises jwt.InvalidTokenError for other issues.
+    Returns the decoded payload dict on success.
+    """
+    return jwt.decode(
+        token,
+        secret,
+        algorithms=["HS256"],
+        options={"verify_aud": False},
+    )  # verify_exp is True by default