Kong admin api shows expired jwt


#1

Even after jwt is expired, jwt sessions are not deleted for the user. I can still see all the sessions in url - http://127.0.0.1:8001/consumers/USER_ID/jwt/. (through admin api)
Is this a problem in any way? Is kong going to delete all such expired sessions by itself or I have to deleted them one by one using DELETE request?


#2

It would think it makes sense to have a expiry time on these when cached but maybe kong lacks that currently. Luckily I bounce my Kong nodes weekly so it will get cleared out eventually but this is a good find. I would think they would accept a PR for such logic if you find where to drop it in :slight_smile: !

EDIT cause I had to double take - Actually this is just the definition/properties needed to make a JWT, this does not represent a JWT produced in a certain instance in time. So no, this is not a concern for Kong.


#3

In PostGres database, if I delete a user from consumer table then her sessions are also deleted as there is cascade delete in jwt_secret table. But in case of cassandra, it doesn’t happen. Orphan sessions of a deleted user remain there in cassandra and there seems no way to clean them up in one shot. Though I can delete them one-by-one through their Ids but that is too tedious.


#4

Right, not the first time I have heard of the db lacking some relationships that should be in place in the newer versions, if a consumer gets deleted, his creds and acl groups should,.if a route deleted, its plugins should. if a service deleted, its routes and plugins (and plugins on routes should). I haven’t personally validated them out myself but it would make for a nice github issue if someone takes some time to test them all out and validate which ones don’t have that relational behavior :slight_smile: .