[H4] token_blacklist cleanup_expired re-verifies every JWT signature; stores whole tokens in RAM #18

Open
opened 2026-06-05 17:35:38 -07:00 by azcomputerguru · 0 comments

Severity: High

Component(s): server

Affected file(s):

  • server/src/auth/token_blacklist.rs:85

Problem:
cleanup_expired re-runs full JWT signature verification on every blacklisted token and stores whole tokens in RAM.

Recommended fix:
Store (token, exp) and make cleanup a simple time comparison.

Remediation phase: P4 (SPEC-023)

From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding H4) and REMEDIATION-PLAN.md (P4).

**Severity:** High **Component(s):** server **Affected file(s):** - `server/src/auth/token_blacklist.rs:85` **Problem:** `cleanup_expired` re-runs full JWT signature verification on every blacklisted token and stores whole tokens in RAM. **Recommended fix:** Store `(token, exp)` and make cleanup a simple time comparison. **Remediation phase:** P4 (SPEC-023) From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding H4) and REMEDIATION-PLAN.md (P4).
azcomputerguru added the severity:highcomponent:serversecurity labels 2026-06-05 17:35:38 -07:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: azcomputerguru/guru-connect#18