Harden session JWT revocation

[haasonsaas]

Summary

• add jti, nbf, and iss claims to ASB session JWTs and validate them on verify
• persist the session token ID, add memory/Redis token revocation stores, and revoke token IDs when sessions are revoked
• reject revoked token IDs during authenticated request handling and add coverage for JWT claim validation and runtime-backed revocation

Closes #6

Validation

• go test ./internal/crypto/sessionjwt ./internal/store/memory ./internal/store/redis ./internal/app -count=1
• go test ./... -count=1
• go test ./... -race -count=1
• GOTOOLCHAIN=go1.26.0 go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.3 run --timeout=5m ./...
• go run github.com/securego/gosec/v2/cmd/gosec@v2.22.4 ./cmd/... ./internal/...

[cursor]

PR Summary

Medium Risk
Touches session-token signing/verification and request authentication paths; misconfiguration (issuer/clock skew) or revocation-store issues could block valid sessions or fail to revoke promptly.

Overview
Hardens session authentication by introducing a distinct TokenID for session JWTs (stored in DB) and adding strict JWT standard-claim handling (jti, nbf, iss) with configurable issuer and clock skew.

Adds runtime-backed session-token revocation: sessions now generate/persist token_id, RevokeSession records token revocation in the runtime store (memory/Redis), and authenticated request handling rejects revoked tokens before loading the session. Includes new migration for sessions.token_id plus tests covering JWT claim validation and revocation enforcement.

^{Reviewed by Cursor Bugbot for commit 03b97ea. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Double clock skew applied to nbf claim

Low Severity

The nbf claim in Sign is set to session.CreatedAt.Add(-m.clockSkew), which already subtracts the clock skew. Then Verify applies jwt.WithLeeway(m.clockSkew), which adds another clockSkew tolerance to the nbf check. The golang-jwt library validates nbf as now >= nbf - leeway, so the effective check becomes now >= CreatedAt - 2*clockSkew. With the default 30-second clockSkew, tokens are accepted starting 60 seconds before creation rather than the intended 30. The nbf value passed to Sign likely just needs to be session.CreatedAt, letting the leeway handle clock skew uniformly across all time claims.

Additional Locations (1)

• internal/crypto/sessionjwt/manager.go#L111-L112

 

^{Reviewed by Cursor Bugbot for commit c85cb17. Configure here.}

[cursor]

Bugbot Autofix determined this is a false positive.

Verify also enforces iat with the same leeway, so tokens still cannot be accepted before CreatedAt - clockSkew even though nbf is backdated.

_{You can send follow-ups to the cloud agent here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.}

^{Reviewed by Cursor Bugbot for commit 03b97ea. Configure here.}

[cursor]

Exported WithClockSkew option is never used

Low Severity

WithClockSkew is an exported Option function that is defined but never called anywhere in the codebase — not in production code, bootstrap wiring, or tests. It's dead code introduced in this PR.

 

^{Reviewed by Cursor Bugbot for commit 03b97ea. Configure here.}