Description
Currently, the socket connection validates the JWT token only during the initial handshake. Once established, the WebSocket connection remains active indefinitely, even if the user logs out, their token expires, or the account is disabled. This exposes the application to session hijacking and unauthorized real-time communication.
Impact
Users can continue sending and receiving messages via WebSocket after their authentication token is invalid or expired.
Proposed Fix
- Implement a heartbeat/verification check on the socket connection to periodically validate the JWT token.
- Listen for logout events to explicitly terminate the socket connection from the server-side.
Description
Currently, the socket connection validates the JWT token only during the initial handshake. Once established, the WebSocket connection remains active indefinitely, even if the user logs out, their token expires, or the account is disabled. This exposes the application to session hijacking and unauthorized real-time communication.
Impact
Users can continue sending and receiving messages via WebSocket after their authentication token is invalid or expired.
Proposed Fix