starred/lldap-lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-04-25 00:05:50 +03:00
Code Issues 101 Projects Releases 10 Packages Wiki Activity

[PR #1240] Replace JWT blacklist with user login_enabled validation #1201

New issue
Open
opened 2026-02-27 09:11:18 +03:00 by kerem · 0 comments
kerem commented 2026-02-27 09:11:18 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/lldap/lldap/pull/1240
Author: @coolguy1771
Created: 8/7/2025
Status: 🔄 Open

Base: mainHead: feat/jwt-user-validation

📝 Commits (5)

  • 17189a1 feat: add login_enabled database field users
  • 89ef5dc fix: streamline existing attribute check in migrate_to_v11 function
  • c7a9f91 feat: add user login_enabled validation to JWT verification
  • 6022edf chore: run cargo fmt
  • 5efda23 chore: remove unnecessary blank line in TcpBackendHandler trait

📊 Changes

9 files changed (+114 additions, -21 deletions)

View changed files

📝 crates/domain-model/src/model/users.rs (+3 -0)
📝 crates/ldap/src/core/user.rs (+2 -1)
📝 crates/sql-backend-handler/src/sql_migrations.rs (+58 -1)
📝 crates/sql-backend-handler/src/sql_tables.rs (+1 -1)
📝 crates/sql-backend-handler/src/sql_user_backend_handler.rs (+1 -0)
📝 server/src/auth_service.rs (+29 -14)
📝 server/src/graphql_server.rs (+7 -4)
📝 server/src/sql_tcp_backend_handler.rs (+10 -0)
📝 server/src/tcp_backend_handler.rs (+3 -0)

📄 Description

Summary

This PR replaces the JWT blacklist mechanism with real-time validation of the user's login_enabled status.

Changes

  • Removed JWT Blacklist:

    • Removed the in-memory JWT blacklist that was incompatible with high-availability deployments

  • Added User Status Validation:

    • Added is_user_login_enabled method to check user status from the database
    • Modified check_if_token_is_valid to be async and query the user's status on every JWT validation
    • Returns "User account is disabled" error when a disabled user attempts to use a JWT

  • Updated JWT Validation Flow:

    • JWT validation now queries the database on every request to check if the user is enabled
    • Immediate access revocation when an account is disabled (no need to wait for JWT expiry)

Testing

  • Code compiles without errors
  • JWT validation properly checks user status

Related Issues

Addresses part of #1193

Dependencies

Needs #1239 to be merged first

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/lldap/lldap/pull/1240 **Author:** [@coolguy1771](https://github.com/coolguy1771) **Created:** 8/7/2025 **Status:** 🔄 Open **Base:** `main` ← **Head:** `feat/jwt-user-validation` --- ### 📝 Commits (5) - [`17189a1`](https://github.com/lldap/lldap/commit/17189a1c60a9e717fa5605da2de831e92a3051c7) feat: add login_enabled database field users - [`89ef5dc`](https://github.com/lldap/lldap/commit/89ef5dcea0eb048724786351d8ae172b177c98ca) fix: streamline existing attribute check in migrate_to_v11 function - [`c7a9f91`](https://github.com/lldap/lldap/commit/c7a9f91a7e30bf8b3ece48b3b86cfebbdcfff8a8) feat: add user login_enabled validation to JWT verification - [`6022edf`](https://github.com/lldap/lldap/commit/6022edf235c54a5aabad87f9bdbc63a04e6adcf0) chore: run cargo fmt - [`5efda23`](https://github.com/lldap/lldap/commit/5efda237c6c1ce4b6afb736a91da918af4c86ba6) chore: remove unnecessary blank line in TcpBackendHandler trait ### 📊 Changes **9 files changed** (+114 additions, -21 deletions) <details> <summary>View changed files</summary> 📝 `crates/domain-model/src/model/users.rs` (+3 -0) 📝 `crates/ldap/src/core/user.rs` (+2 -1) 📝 `crates/sql-backend-handler/src/sql_migrations.rs` (+58 -1) 📝 `crates/sql-backend-handler/src/sql_tables.rs` (+1 -1) 📝 `crates/sql-backend-handler/src/sql_user_backend_handler.rs` (+1 -0) 📝 `server/src/auth_service.rs` (+29 -14) 📝 `server/src/graphql_server.rs` (+7 -4) 📝 `server/src/sql_tcp_backend_handler.rs` (+10 -0) 📝 `server/src/tcp_backend_handler.rs` (+3 -0) </details> ### 📄 Description ## Summary This PR replaces the JWT blacklist mechanism with real-time validation of the user's `login_enabled` status. ## Changes - **Removed JWT Blacklist**: - Removed the in-memory JWT blacklist that was incompatible with high-availability deployments - **Added User Status Validation**: - Added `is_user_login_enabled` method to check user status from the database - Modified `check_if_token_is_valid` to be async and query the user's status on every JWT validation - Returns "User account is disabled" error when a disabled user attempts to use a JWT - **Updated JWT Validation Flow**: - JWT validation now queries the database on every request to check if the user is enabled - Immediate access revocation when an account is disabled (no need to wait for JWT expiry) ## Testing - [x] Code compiles without errors - [x] JWT validation properly checks user status ## Related Issues Addresses part of #1193 ## Dependencies Needs #1239 to be merged first --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/github_actions/codecov/codecov-action-6
copilot/fix-equality-filters-list-attributes
dependabot/github_actions/docker/build-push-action-7
dependabot/github_actions/docker/metadata-action-6
dependabot/github_actions/docker/setup-buildx-action-4
dependabot/github_actions/docker/login-action-4
copilot/update-download-artifact-action
copilot/fix-opensuse-warnings
copilot/fix-1268
copilot/fix-727
copilot/fix-898
copilot/fix-1256
copilot/fix-1251
copilot/fix-1249
copilot/fix-1206
user-attribute-form
user-ui
group-ui
server-user-attribute-schema
crates
haveibeenpwned
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.0.1
Labels
Clear labels   
backend

   
blocked

   
bug

   
cleanup

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
frontend

   
github_actions

   
good first issue

   
help wanted

   
help wanted

   
integration

   
invalid

   
ldap

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
rust

   
rust

   
tests

   
wontfix
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/lldap-lldap#1201
No description provided.