Invalidate JWT in Backend Logout

proto/validator/accounts/v2/web_api.proto

@@ -89,6 +89,12 @@ service Auth {
             body: "*"
         };
     }
+    rpc Logout(google.protobuf.Empty) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+            post: "/v2/validator/logout",
+            body: "*"
+        };
+    }
 }
 
 // Type of key manager for the wallet, either direct, derived, or remote.

validator/rpc/auth.go

@@ -90,6 +90,17 @@ func (s *Server) Login(ctx context.Context, req *pb.AuthRequest) (*pb.AuthRespon
 	return s.sendAuthResponse()
 }
 
+// Logout a user by invalidating their JWT key.
+func (s *Server) Logout(ctx context.Context, _ *ptypes.Empty) (*ptypes.Empty, error) {
+	// Invalidate the old JWT key, making all requests done with its token fail.
+	jwtKey, err := createRandomJWTKey()
+	if err != nil {
+		return nil, status.Error(codes.Internal, "Could not invalidate JWT key")
+	}
+	s.jwtKey = jwtKey
+	return &ptypes.Empty{}, nil
+}
+
 // Sends an auth response via gRPC containing a new JWT token.
 func (s *Server) sendAuthResponse() (*pb.AuthResponse, error) {
 	// If everything is fine here, construct the auth token.

validator/rpc/auth_test.go

@@ -9,6 +9,8 @@ import (
 	"path/filepath"
 	"testing"
 
+	"github.com/dgrijalva/jwt-go"
+	ptypes "github.com/gogo/protobuf/types"
 	pb "github.com/prysmaticlabs/prysm/proto/validator/accounts/v2"
 	"github.com/prysmaticlabs/prysm/shared/event"
 	"github.com/prysmaticlabs/prysm/shared/fileutil"
@@ -79,6 +81,28 @@ func TestServer_SignupAndLogin_RoundTrip(t *testing.T) {
 	require.NoError(t, err)
 }
 
+func TestServer_Logout(t *testing.T) {
+	key, err := createRandomJWTKey()
+	require.NoError(t, err)
+	ss := &Server{
+		jwtKey: key,
+	}
+	tokenString, _, err := ss.createTokenString()
+	require.NoError(t, err)
+	checkParsedKey := func(*jwt.Token) (interface{}, error) {
+		return ss.jwtKey, nil
+	}
+	_, err = jwt.Parse(tokenString, checkParsedKey)
+	assert.NoError(t, err)
+
+	_, err = ss.Logout(context.Background(), &ptypes.Empty{})
+	require.NoError(t, err)
+
+	// Attempting to validate the same token string after logout should fail.
+	_, err = jwt.Parse(tokenString, checkParsedKey)
+	assert.ErrorContains(t, "signature is invalid", err)
+}
+
 func TestServer_ChangePassword_Preconditions(t *testing.T) {
 	localWalletDir := setupWalletDir(t)
 	defaultWalletPath = localWalletDir

validator/rpc/server.go

@@ -2,6 +2,7 @@ package rpc
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net"
 
@@ -130,15 +131,10 @@ func (s *Server) Start() {
 	s.grpcServer = grpc.NewServer(opts...)
 
 	// We create a new, random JWT key upon validator startup.
-	r := rand.NewGenerator()
-	jwtKey := make([]byte, 32)
-	n, err := r.Read(jwtKey)
+	jwtKey, err := createRandomJWTKey()
 	if err != nil {
 		log.WithError(err).Fatal("Could not initialize validator jwt key")
 	}
-	if n != len(jwtKey) {
-		log.WithError(err).Fatal("Could not create random jwt key for validator")
-	}
 	s.jwtKey = jwtKey
 
 	// Register services available for the gRPC server.
@@ -172,3 +168,16 @@ func (s *Server) Stop() error {
 func (s *Server) Status() error {
 	return s.credentialError
 }
+
+func createRandomJWTKey() ([]byte, error) {
+	r := rand.NewGenerator()
+	jwtKey := make([]byte, 32)
+	n, err := r.Read(jwtKey)
+	if err != nil {
+		return nil, err
+	}
+	if n != len(jwtKey) {
+		return nil, errors.New("could not create appropriately sized random JWT key")
+	}
+	return jwtKey, nil
+}