api/Program.cs

@@ -39,7 +39,8 @@ builder.Services.AddAuthentication(options => {
         ValidateIssuerSigningKey = true,
         ValidIssuer = "agologum",
         ValidAudience = "agologum",
-        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key))
+        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key)),
+        ClockSkew = TimeSpan.Zero
     };
 });
 

api/src/Controllers/AuthController.cs

@@ -67,10 +67,10 @@ public class AuthController : ControllerBase {
 
     [Authorize] // authorize is handled by middleware
     [HttpPost("logout")]
-    public ActionResult Logout() {
-        // dummy endpoint
-        // logout happens upon client-side jwt removal
-        // TODO: expire all refresh tokens 
+    public async Task<ActionResult> Logout(string refreshTokenString) {
+        // revoke refresh token
+        bool success = await jwt_.RevokeRefreshToken(refreshTokenString);
+        if(!success) return NotFound();
         return Ok();
     }
 
@@ -106,7 +106,6 @@ public class AuthController : ControllerBase {
     }
 
     // TODO
-    // refresh tokens
     // email verification
     // password reset
     // oh hell naw 2FA I do not care enough

api/src/Services/JwtService.cs

@@ -69,4 +69,12 @@ public class JwtService {
         return await db_.Users.FindAsync(id);
     }
 
+    public async Task<bool> RevokeRefreshToken(string refreshTokenString) {
+        var refreshToken = await db_.RefreshTokens.FirstOrDefaultAsync(u => u.Token == refreshTokenString);
+        if(refreshToken == null) return false;
+        refreshToken.IsRevoked = true;
+        await db_.SaveChangesAsync();
+        return true;
+    }
+
 }