Session token previously blacklisted on refresh


#1

Hi,

We are using DreamFactory 2.2.0 (Bitnami installer) with the following configuration:

  • DF_ALLOW_FOREVER_SESSIONS=true
  • DF_JWT_TTL=300

Each time a user opens our client app, the previous session token is automatically refreshed with a PUT request as explained in the wiki.

Everything works fine most of the time, but it seems that when the client app is used from different devices but with the same user credentials sometimes one of the clients receives the following error from the server when trying to refresh the session token:

{"error":{"context":null,"message":"Thetokenhasbeenblacklisted","code":500,"trace":["0/opt/bitnami/apps/dreamfactory/htdocs/vendor/tymon/jwt-auth/src/JWTManager.php(98):Tymon\\JWTAuth\\JWTManager->decode(Object(Tymon\\JWTAuth\\Token))","1/opt/bitnami/apps/dreamfactory/htdocs/vendor/tymon/jwt-auth/src/JWTAuth.php(144):Tymon\\JWTAuth\\JWTManager->refresh(Object(Tymon\\JWTAuth\\Token))","2/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(6380):Tymon\\JWTAuth\\JWTAuth->refresh('eyJ0eXAiOiJKV1Q...')","3/opt/bitnami/apps/dreamfactory/htdocs/vendor/dreamfactory/df-core/src/Utility/JWTUtilities.php(70):Illuminate\\Support\\Facades\\Facade::__callStatic('refresh',Array)","4/opt/bitnami/apps/dreamfactory/htdocs/vendor/dreamfactory/df-core/src/Utility/JWTUtilities.php(70):Tymon\\JWTAuth\\Facades\\JWTAuth::refresh('eyJ0eXAiOiJKV1Q...')","5/opt/bitnami/apps/dreamfactory/htdocs/vendor/dreamfactory/df-core/src/Resources/UserSessionResource.php(103):DreamFactory\\Core\\Utility\\JWTUtilities::refreshToken()","6[internalfunction]:DreamFactory\\Core\\Resources\\UserSessionResource->handlePUT()","7/opt/bitnami/apps/dreamfactory/htdocs/vendor/dreamfactory/df-core/src/Components/RestHandler.php(267):call_user_func(Array)","8/opt/bitnami/apps/dreamfactory/htdocs/vendor/dreamfactory/df-core/src/Components/RestHandler.php(173):DreamFactory\\Core\\Components\\RestHandler->processRequest()","9/opt/bitnami/apps/dreamfactory/htdocs/vendor/dreamfactory/df-core/src/Components/RestHandler.php(220):DreamFactory\\Core\\Components\\RestHandler->handleRequest(Object(DreamFactory\\Core\\Utility\\ServiceRequest),'')","10/opt/bitnami/apps/dreamfactory/htdocs/vendor/dreamfactory/df-core/src/Components/RestHandler.php(168):DreamFactory\\Core\\Components\\RestHandler->handleResource(Array)","11/opt/bitnami/apps/dreamfactory/htdocs/vendor/dreamfactory/df-core/src/Services/BaseRestService.php(74):DreamFactory\\Core\\Components\\RestHandler->handleRequest(Object(DreamFactory\\Core\\Utility\\ServiceRequest),'session')","12/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(17036):DreamFactory\\Core\\Services\\BaseRestService->handleRequest(Object(DreamFactory\\Core\\Utility\\ServiceRequest),'session')","13/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(17012):DreamFactory\\Http\\Controllers\\RestController->handleService('v2','user','session')","14[internalfunction]:DreamFactory\\Http\\Controllers\\RestController->handlePUT('v2','user','session')","15/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9093):call_user_func_array(Array,Array)","16/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9155):Illuminate\\Routing\\Controller->callAction('handlePUT',Array)","17/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9135):Illuminate\\Routing\\ControllerDispatcher->call(Object(DreamFactory\\Http\\Controllers\\RestController),Object(Illuminate\\Routing\\Route),'handlePUT')","18[internalfunction]:Illuminate\\Routing\\ControllerDispatcher->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))","19/opt/bitnami/apps/dreamfactory/htdocs/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(52):call_user_func(Object(Closure),Object(Illuminate\\Http\\Request))","20/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(17211):Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))","21[internalfunction]:DreamFactory\\Http\\Middleware\\AccessCheck->handle(Object(Illuminate\\Http\\Request),Object(Closure))","22/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9627):call_user_func_array(Array,Array)","23[internalfunction]:Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))","24/opt/bitnami/apps/dreamfactory/htdocs/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(32):call_user_func(Object(Closure),Object(Illuminate\\Http\\Request))","25[internalfunction]:Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))","26/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9612):call_user_func(Object(Closure),Object(Illuminate\\Http\\Request))","27/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9136):Illuminate\\Pipeline\\Pipeline->then(Object(Closure))","28/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9123):Illuminate\\Routing\\ControllerDispatcher->callWithinStack(Object(DreamFactory\\Http\\Controllers\\RestController),Object(Illuminate\\Routing\\Route),Object(Illuminate\\Http\\Request),'handlePUT')","29/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(8191):Illuminate\\Routing\\ControllerDispatcher->dispatch(Object(Illuminate\\Routing\\Route),Object(Illuminate\\Http\\Request),'DreamFactory\\\\Ht...','handlePUT')","30/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(8178):Illuminate\\Routing\\Route->runController(Object(Illuminate\\Http\\Request))","31/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(7892):Illuminate\\Routing\\Route->run(Object(Illuminate\\Http\\Request))","32[internalfunction]:Illuminate\\Routing\\Router->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))","33/opt/bitnami/apps/dreamfactory/htdocs/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(52):call_user_func(Object(Closure),Object(Illuminate\\Http\\Request))","34[internalfunction]:Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))","35/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9612):call_user_func(Object(Closure),Object(Illuminate\\Http\\Request))","36/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(7893):Illuminate\\Pipeline\\Pipeline->then(Object(Closure))","37/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(7884):Illuminate\\Routing\\Router->runRouteWithinStack(Object(Illuminate\\Routing\\Route),Object(Illuminate\\Http\\Request))","38/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(7874):Illuminate\\Routing\\Router->dispatchToRoute(Object(Illuminate\\Http\\Request))","39/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(2416):Illuminate\\Routing\\Router->dispatch(Object(Illuminate\\Http\\Request))","40[internalfunction]:Illuminate\\Foundation\\Http\\Kernel->Illuminate\\Foundation\\Http\\{closure}(Object(Illuminate\\Http\\Request))","41/opt/bitnami/apps/dreamfactory/htdocs/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(52):call_user_func(Object(Closure),Object(Illuminate\\Http\\Request))","42/opt/bitnami/apps/dreamfactory/htdocs/app/Http/Middleware/AuthCheck.php(178):Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))","43[internalfunction]:DreamFactory\\Http\\Middleware\\AuthCheck->handle(Object(Illuminate\\Http\\Request),Object(Closure))","44/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9627):call_user_func_array(Array,Array)","45[internalfunction]:Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))","46/opt/bitnami/apps/dreamfactory/htdocs/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(32):call_user_func(Object(Closure),Object(Illuminate\\Http\\Request))","47/opt/bitnami/apps/dreamfactory/htdocs/vendor/barryvdh/laravel-cors/src/HandleCors.php(42):Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))","48[internalfunction]:Barryvdh\\Cors\\HandleCors->handle(Object(Illuminate\\Http\\Request),Object(Closure))","49/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9627):call_user_func_array(Array,Array)","50[internalfunction]:Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))","51/opt/bitnami/apps/dreamfactory/htdocs/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(32):call_user_func(Object(Closure),Object(Illuminate\\Http\\Request))","52/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(17306):Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))","53[internalfunction]:DreamFactory\\Http\\Middleware\\FirstUserCheck->handle(Object(Illuminate\\Http\\Request),Object(Closure))","54/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9627):call_user_func_array(Array,Array)","55[internalfunction]:Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))","56/opt/bitnami/apps/dreamfactory/htdocs/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(32):call_user_func(Object(Closure),Object(Illuminate\\Http\\Request))","57/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(13076):Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))","58[internalfunction]:Illuminate\\View\\Middleware\\ShareErrorsFromSession->handle(Object(Illuminate\\Http\\Request),Object(Closure))","59/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9627):call_user_func_array(Array,Array)","60[internalfunction]:Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))","61/opt/bitnami/apps/dreamfactory/htdocs/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(32):call_user_func(Object(Closure),Object(Illuminate\\Http\\Request))","62/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(11622):Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))","63[internalfunction]:Illuminate\\Session\\Middleware\\StartSession->handle(Object(Illuminate\\Http\\Request),Object(Closure))","64/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9627):call_user_func_array(Array,Array)","65[internalfunction]:Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))","66/opt/bitnami/apps/dreamfactory/htdocs/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(32):call_user_func(Object(Closure),Object(Illuminate\\Http\\Request))","67/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(12815):Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))","68[internalfunction]:Illuminate\\Cookie\\Middleware\\AddQueuedCookiesToResponse->handle(Object(Illuminate\\Http\\Request),Object(Closure))","69/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9627):call_user_func_array(Array,Array)","70[internalfunction]:Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))","71/opt/bitnami/apps/dreamfactory/htdocs/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(32):call_user_func(Object(Closure),Object(Illuminate\\Http\\Request))","72/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(12752):Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))","73[internalfunction]:Illuminate\\Cookie\\Middleware\\EncryptCookies->handle(Object(Illuminate\\Http\\Request),Object(Closure))","74/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9627):call_user_func_array(Array,Array)","75[internalfunction]:Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))","76/opt/bitnami/apps/dreamfactory/htdocs/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(32):call_user_func(Object(Closure),Object(Illuminate\\Http\\Request))","77/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(3271):Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))","78[internalfunction]:Illuminate\\Foundation\\Http\\Middleware\\CheckForMaintenanceMode->handle(Object(Illuminate\\Http\\Request),Object(Closure))","79/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9627):call_user_func_array(Array,Array)","80[internalfunction]:Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))","81/opt/bitnami/apps/dreamfactory/htdocs/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(32):call_user_func(Object(Closure),Object(Illuminate\\Http\\Request))","82[internalfunction]:Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))","83/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(9612):call_user_func(Object(Closure),Object(Illuminate\\Http\\Request))","84/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(2363):Illuminate\\Pipeline\\Pipeline->then(Object(Closure))","85/opt/bitnami/apps/dreamfactory/htdocs/bootstrap/cache/compiled.php(2347):Illuminate\\Foundation\\Http\\Kernel->sendRequestThroughRouter(Object(Illuminate\\Http\\Request))","86/opt/bitnami/apps/dreamfactory/htdocs/public/index.php(53):Illuminate\\Foundation\\Http\\Kernel->handle(Object(Illuminate\\Http\\Request))","87{main}"]}}

We’ve checked that the previous session token (which is used for the PUT request) in both clients is not the same at the moment the problem happens, so we ruled out that one of the clients might be blacklisting the other’s session.

Is this a known issue in v2.2.0? Has anyone else experienced this problem?
Is there a way to track when and why a token has been blacklisted?

Thanks in advance.


#2

I run in to the same problem where sometimes my token is blacklisted even though the time has not expired. I even tested it with a TTL of 130000. The token gets blacklisted even though the session was never deleted (logout).

It’s a painful problem because the only solution for the user is to logout (which will also throw errors because of the blacklisted token) and log in again.


#3

So do you think this is a bug @benbusse ?


#4

Hello,

I have the same issue. After 60 minutes token is blacklisted.

Please @benbusse answer this topic.

DreamFactory Version: 2.3.1(Bitnami)


#5

The only way you can get the token blacklisted error is if you use a token that was already refreshed or logged out on. Expired token produces token expired error.

I am not really sure how your ( @rbarriuso) client app handles JWT. Would there be in any chance your client app is sending a token on the PUT call that was already refreshed or logged out on?

If you haven’t seen this already, here is a thread where forever JWT was discussed in great details before…


#6

@aislam No, we’re sure that our client isn’t sending a blacklisted token PUT call. And in spite of it, we still receive the error from time to time.

On a different topic, though related: when the time defined by DF_JWT_REFRESH_TTL in the .env file has passed, is the token considered as blacklisted too?