Add missing access token JTI claim to prevent replay attacks after blacklist bypass

[RUKAYAT-CODER]

Overview

src/auth/auth.service.ts generates access tokens with only {sub, email, role}. Without a jti (JWT ID) claim, the token blacklist cannot selectively revoke individual tokens — it can only revoke all tokens for a user. This makes targeted logout (e.g. "log out this specific device") impossible and forces a coarse-grained revocation strategy.

Specifications

Features:

• Include a unique jti (UUID) in every access token payload.
• Use jti as the blacklist key instead of userId.

Tasks:

• Import randomUUID from crypto in auth.service.ts.
• Add jti: randomUUID() to the access token payload in generateTokens().
• Update TokenBlacklistService to blacklist by jti with TTL equal to token remaining lifetime.
• Update JwtStrategy.validate() to check the jti against the blacklist on every request.
• Add unit tests verifying jti uniqueness and blacklist behavior.

Impacted Files:

• src/auth/auth.service.ts
• src/auth/jwt.strategy.ts
• src/security/token-blacklist/token-blacklist.service.ts

Acceptance Criteria

• Every issued access token contains a unique jti.
• Blacklisting a jti only invalidates that specific token, not all tokens for the user.
• Unit tests verify the blacklist lookup occurs on each authenticated request.

[Thoni76]

@Thoni76 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Good day maintainer, please i would love to fix this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Thoni76 to this issue.

[Dennis-Ritchie1]

@Dennis-Ritchie1 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi maintainers, I'd love to take this on.

I'm a Full Stack Developer with production experience across the entire stack—from pixel-accurate frontends to scalable APIs and database architecture.

My Stack: Next.js • React • TypeScript • Tailwind • Node.js • Express • PostgreSQL • Prisma/Drizzle

📦 What I'll Deliver
Frontend: Pixel-perfect, accessible (semantic HTML), and responsive UI components.

Backend: Secure, validated RESTful or GraphQL endpoints with robust database schema design/migrations.

Quality: Clean, reusable code following your repository's existing patterns.

📋 Execution Plan
Review & Align: Audit the spec and existing code patterns for [Mention specific component/route name].

Build: Implement frontend UI interactions alongside the necessary backend business logic.

Test & QA: Write tests for critical paths and QA across multiple breakpoints.

PR Delivery: Open a structured PR with a summary of backend changes and visual assets (screenshots/video).

I'm available to spin this up right away. Looking forward to contributing!

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Dennis-Ritchie1 to this issue.

[Menjay7]

@Menjay7 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi! I’m a full-stack developer with a strong blockchain background. I’d love to handle this issue and can deliver a clean, reliable solution. Kindly assign it to me.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Menjay7 to this issue.

[Divineifed1]

@Divineifed1 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

kindly assign me to Add missing access token JTI claim to prevent replay attacks after blacklist bypass on this project efficiently

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Divineifed1 to this issue.

[drips-wave]

Congratulations, @Divineifed1! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @Divineifed1: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊