Add ability to revoke the access token

Author: kilbot

includes/API/Auth.php

@@ -324,7 +324,12 @@ public function delete_session( WP_REST_Request $request ): WP_REST_Response {
 		}
 
 		$auth_service = AuthService::instance();
-		$result       = $auth_service->revoke_session( (int) $user_id, $jti );
+
+		// Try to get the access token JTI from the request to blacklist it
+		$access_jti = $this->get_current_access_jti_from_request( $request );
+
+		// Revoke session and blacklist current access token
+		$result = $auth_service->revoke_session_with_blacklist( (int) $user_id, $jti, $access_jti );
 
 		if ( $result ) {
 			return rest_ensure_response( array(
@@ -528,4 +533,42 @@ private function get_current_jti_from_request( WP_REST_Request $request ): ?stri
 
 		return $decoded->jti ?? null;
 	}
+
+	/**
+	 * Get current access token JTI from the request's authorization token.
+	 *
+	 * @param WP_REST_Request $request The REST request object.
+	 *
+	 * @return string
+	 */
+	private function get_current_access_jti_from_request( WP_REST_Request $request ): string {
+		// Try to get the token from Authorization header
+		$auth_header = $request->get_header( 'authorization' );
+
+		if ( empty( $auth_header ) ) {
+			// Try query parameter
+			$auth_header = $request->get_param( 'authorization' );
+		}
+
+		if ( empty( $auth_header ) ) {
+			return '';
+		}
+
+		// Extract token from "Bearer TOKEN"
+		$token = str_replace( 'Bearer ', '', $auth_header );
+
+		if ( empty( $token ) ) {
+			return '';
+		}
+
+		// Decode the access token to get its JTI
+		$auth_service = AuthService::instance();
+		$decoded      = $auth_service->validate_token( $token, 'access' );
+
+		if ( is_wp_error( $decoded ) ) {
+			return '';
+		}
+
+		return $decoded->jti ?? '';
+	}
 }

includes/Server.php

@@ -9,11 +9,14 @@
 
 namespace WCPOS\WooCommercePOS;
 
+use WCPOS\WooCommercePOS\Services\Auth;
 use WP_REST_Request;
+use WP_REST_Server;
 
 class Server {
 	public function __construct() {
 		add_filter( 'woocommerce_rest_check_permissions', array( $this, 'check_permissions' ) );
+		add_filter( 'rest_pre_dispatch', array( $this, 'track_session_activity' ), 10, 3 );
 	}
 
 	/**
@@ -73,4 +76,92 @@ protected function get_json_last_error() {
 
 		return json_last_error_msg();
 	}
+
+	/**
+	 * Track session activity on every authenticated REST API request.
+	 *
+	 * @param mixed           $result Response to replace the requested version with.
+	 * @param WP_REST_Server  $server Server instance.
+	 * @param WP_REST_Request $request Request used to generate the response.
+	 *
+	 * @return mixed
+	 */
+	public function track_session_activity( $result, $server, $request ) {
+		// Only track for WCPOS API requests
+		$route = $request->get_route();
+		if ( ! str_starts_with( $route, '/wcpos/' ) ) {
+			return $result;
+		}
+
+		// Skip for auth endpoints (they handle their own tracking)
+		if ( str_starts_with( $route, '/wcpos/v1/auth/' ) ) {
+			return $result;
+		}
+
+		// Get authorization token
+		$token = $this->extract_token_from_request( $request );
+		if ( empty( $token ) ) {
+			return $result;
+		}
+
+		// Validate and extract refresh_jti from access token
+		$auth_service = Auth::instance();
+		$decoded      = $auth_service->validate_token( $token, 'access' );
+
+		if ( is_wp_error( $decoded ) ) {
+			return $result;
+		}
+
+		// Update session activity if we have refresh_jti
+		if ( ! empty( $decoded->refresh_jti ) && ! empty( $decoded->data->user->id ) ) {
+			$this->update_session_activity_throttled(
+				$decoded->data->user->id,
+				$decoded->refresh_jti
+			);
+		}
+
+		return $result;
+	}
+
+	/**
+	 * Extract token from request (header or query param).
+	 *
+	 * @param WP_REST_Request $request The REST request.
+	 *
+	 * @return string
+	 */
+	private function extract_token_from_request( WP_REST_Request $request ): string {
+		// Try Authorization header
+		$auth_header = $request->get_header( 'authorization' );
+
+		if ( empty( $auth_header ) ) {
+			// Try query parameter
+			$auth_header = $request->get_param( 'authorization' );
+		}
+
+		if ( empty( $auth_header ) ) {
+			return '';
+		}
+
+		// Extract token from "Bearer TOKEN"
+		return str_replace( 'Bearer ', '', $auth_header );
+	}
+
+	/**
+	 * Update session activity with rate limiting (once per minute).
+	 *
+	 * @param int    $user_id User ID.
+	 * @param string $jti Refresh token JTI.
+	 */
+	private function update_session_activity_throttled( int $user_id, string $jti ): void {
+		// Rate limit: only update once per minute per session
+		$cache_key   = "wcpos_session_activity_{$user_id}_{$jti}";
+		$last_update = wp_cache_get( $cache_key, 'wcpos' );
+
+		// If never updated or last update was more than 60 seconds ago
+		if ( false === $last_update || ( time() - $last_update ) > 60 ) {
+			Auth::instance()->update_session_activity( $user_id, $jti );
+			wp_cache_set( $cache_key, time(), 'wcpos', 60 );
+		}
+	}
 }

includes/Services/Auth.php

@@ -115,6 +115,17 @@ public function validate_token( $token = '', $token_type = 'access' ) {
 				);
 			}
 
+			// Check if access token is blacklisted (for instant revocation)
+			if ( 'access' === $token_type && isset( $decoded_token->jti ) ) {
+				if ( $this->is_access_token_blacklisted( $decoded_token->jti ) ) {
+					return new WP_Error(
+						'woocommerce_pos_auth_token_revoked',
+						'Access token has been revoked',
+						array( 'status' => 403 )
+					);
+				}
+			}
+
 			// Everything looks good return the decoded token
 			return $decoded_token;
 		} catch ( Exception $e ) {
@@ -133,10 +144,11 @@ public function validate_token( $token = '', $token_type = 'access' ) {
 	 * Generate an access token for the provided user (short-lived).
 	 *
 	 * @param WP_User $user
+	 * @param string  $refresh_jti Optional refresh token JTI to link access token to session.
 	 *
 	 * @return string|WP_Error
 	 */
-	public function generate_access_token( WP_User $user ) {
+	public function generate_access_token( WP_User $user, string $refresh_jti = '' ) {
 		// First thing, check the secret key if not exist return a error
 		if ( ! $this->get_secret_key() ) {
 			return new WP_Error(
@@ -166,10 +178,14 @@ public function generate_access_token( WP_User $user ) {
 		 */
 		$expire = apply_filters( 'woocommerce_pos_jwt_access_token_expire', $issued_at + ( HOUR_IN_SECONDS / 2 ), $issued_at );
 
+		// Generate unique JTI for access token
+		$jti = wp_generate_uuid4();
+
 		$token = array(
 			'iss'  => get_bloginfo( 'url' ),
 			'iat'  => $issued_at,
 			'exp'  => $expire,
+			'jti'  => $jti,
 			'type' => 'access',
 			'data' => array(
 				'user' => array(
@@ -178,6 +194,11 @@ public function generate_access_token( WP_User $user ) {
 			),
 		);
 
+		// Link to refresh token if provided
+		if ( ! empty( $refresh_jti ) ) {
+			$token['refresh_jti'] = $refresh_jti;
+		}
+
 		/*
 		 * Let the user modify the access token data before the sign.
 		 *
@@ -274,16 +295,24 @@ public function generate_refresh_token( WP_User $user ) {
 	 * @return array|WP_Error
 	 */
 	public function generate_token_pair( WP_User $user ) {
-		$access_token = $this->generate_access_token( $user );
-		if ( is_wp_error( $access_token ) ) {
-			return $access_token;
-		}
-
+		// Generate refresh token first to get its JTI
 		$refresh_token = $this->generate_refresh_token( $user );
 		if ( is_wp_error( $refresh_token ) ) {
 			return $refresh_token;
 		}
 
+		// Decode to get the JTI
+		$decoded_refresh = $this->validate_token( $refresh_token, 'refresh' );
+		if ( is_wp_error( $decoded_refresh ) ) {
+			return $decoded_refresh;
+		}
+
+		// Generate access token with link to refresh token
+		$access_token = $this->generate_access_token( $user, $decoded_refresh->jti ?? '' );
+		if ( is_wp_error( $access_token ) ) {
+			return $access_token;
+		}
+
 		$issued_at = time();
 		$expire    = apply_filters( 'woocommerce_pos_jwt_access_token_expire', $issued_at + ( HOUR_IN_SECONDS / 2 ), $issued_at );
 
@@ -399,8 +428,8 @@ public function refresh_access_token( string $refresh_token ) {
 		// Update last_active timestamp for this session
 		$this->update_session_activity( $decoded->data->user->id, $decoded->jti ?? '' );
 
-		// Generate new access token (refresh token stays the same)
-		$new_access_token = $this->generate_access_token( $user );
+		// Generate new access token with link to refresh token (refresh token stays the same)
+		$new_access_token = $this->generate_access_token( $user, $decoded->jti ?? '' );
 		if ( is_wp_error( $new_access_token ) ) {
 			return $new_access_token;
 		}
@@ -587,7 +616,7 @@ public function revoke_all_sessions_except( int $user_id, string $current_jti ):
 	 *
 	 * @return bool
 	 */
-	private function update_session_activity( int $user_id, string $jti ): bool {
+	public function update_session_activity( int $user_id, string $jti ): bool {
 		$refresh_tokens = get_user_meta( $user_id, '_woocommerce_pos_refresh_tokens', true );
 		if ( ! \is_array( $refresh_tokens ) || ! isset( $refresh_tokens[ $jti ] ) ) {
 			return false;
@@ -768,4 +797,63 @@ private function parse_user_agent( string $user_agent ): array {
 
 		return $device_info;
 	}
+
+	/**
+	 * Blacklist an access token by JTI (for instant revocation).
+	 *
+	 * @param string $jti Access token JTI.
+	 * @param int    $ttl Time to live in seconds (until token expires).
+	 *
+	 * @return bool
+	 */
+	public function blacklist_access_token( string $jti, int $ttl ): bool {
+		if ( empty( $jti ) ) {
+			return false;
+		}
+
+		// Use transient with TTL matching token expiration
+		return set_transient( "wcpos_blacklist_{$jti}", true, $ttl );
+	}
+
+	/**
+	 * Check if an access token is blacklisted.
+	 *
+	 * @param string $jti Access token JTI.
+	 *
+	 * @return bool
+	 */
+	private function is_access_token_blacklisted( string $jti ): bool {
+		if ( empty( $jti ) ) {
+			return false;
+		}
+
+		// Check transient
+		return false !== get_transient( "wcpos_blacklist_{$jti}" );
+	}
+
+	/**
+	 * Revoke session and blacklist current access token.
+	 *
+	 * @param int    $user_id
+	 * @param string $refresh_jti Refresh token JTI.
+	 * @param string $access_jti Optional access token JTI to blacklist immediately.
+	 *
+	 * @return bool
+	 */
+	public function revoke_session_with_blacklist( int $user_id, string $refresh_jti, string $access_jti = '' ): bool {
+		// Revoke the refresh token (session)
+		$revoked = $this->revoke_session( $user_id, $refresh_jti );
+
+		// Blacklist the current access token if provided
+		if ( $revoked && ! empty( $access_jti ) ) {
+			// Calculate TTL - access tokens expire in 30 minutes by default
+			$issued_at = time();
+			$expire    = apply_filters( 'woocommerce_pos_jwt_access_token_expire', $issued_at + ( HOUR_IN_SECONDS / 2 ), $issued_at );
+			$ttl       = max( 0, $expire - $issued_at );
+
+			$this->blacklist_access_token( $access_jti, $ttl );
+		}
+
+		return $revoked;
+	}
 }