29 lines
988 B
Markdown
29 lines
988 B
Markdown
|
# Manage JWT Blocklist
|
||
|
|
|
||
|
|
**ID:** ADM-007
|
||
|
|
**Priority:** Medium
|
||
|
|
**Status:** Planned
|
||
|
|
|
||
|
|
## User Story
|
||
|
|
As a platform administrator, I want to view and manage the JWT blocklist so that I can revoke tokens during security incidents and verify that revocations are working.
|
||
|
|
|
||
|
|
## Acceptance Criteria
|
||
|
|
- [ ] View all blocked JWT IDs with metadata
|
||
|
|
- [ ] Search blocklist by JWT ID or user
|
||
|
|
- [ ] Manually add JWTs to blocklist
|
||
|
|
- [ ] View reason for each blocklist entry
|
||
|
|
- [ ] Blocklist entries show expiration (when they can be removed)
|
||
|
|
- [ ] Bulk revoke all tokens for a user
|
||
|
|
- [ ] Bulk revoke all tokens for an organization
|
||
|
|
- [ ] Automatic cleanup of expired blocklist entries
|
||
|
|
|
||
|
|
## Technical Notes
|
||
|
|
- JwtManager has `blockedJwtIdList` infrastructure
|
||
|
|
- `pushOrGetJwtIdBlocklist` endpoint exists
|
||
|
|
- Need admin UI for blocklist management
|
||
|
|
- ReceptionHousekeeping could handle cleanup
|
||
|
|
- Consider Redis for high-performance blocklist checks
|
||
|
|
|
||
|
|
## Related TODOs
|
||
|
|
- Enhancement to existing blocklist infrastructure
|