Insecure Global Token Revocation in REVOKE_REFRESH_TOKEN in src/GraphQl/Mutations/mutations.ts

[sancheet230]

Description

The REVOKE_REFRESH_TOKEN mutation lacks user scoping/authorization, enabling any authenticated user to revoke all refresh tokens, risking system-wide DoS and privilege escalation.

Reproduction Steps

Authenticate as any user.

Run:

mutation { revokeRefreshTokenForUser }  

Result: All users are logged out.

Impact

DoS: Disrupts all active sessions.

Security: Non-admins can revoke admin sessions.

Compliance: Unauthorized session termination violates GDPR/CCPA.

Proposed Fix

Add a userId: ID! argument to target specific users.

Enforce authorization: Allow only admins or the user themselves to revoke tokens.

Backend validation:

if (!isAdmin && currentUser.id !== userId) throw Error("Unauthorized");  

P0: Requires immediate patch to prevent exploitation.

Potential internship candidates

Please read this if you are planning to apply for a Palisadoes Foundation internship

• Student Internship Programs talawa#359

[sancheet230]

@palisadoes @Cioppolo14 I have already solved this on my local so you can assign me I will deal with it and soon will open a PR

[palisadoes]

Closing. The API doesn't use refresh tokens