-
Notifications
You must be signed in to change notification settings - Fork 341
Description
🐞 Bug Summary
There is a mismatch between the jti (JWT ID) claim found in the decoded JWT token and the jti value stored in the database for what should be the same token. This results in inconsistency where a single token appears to have two different identifiers one in the token itself and another in the system's storage. This can lead to authentication failures, token revocation issues, or inaccurate token tracking.
🧩 Affected Component
Select the area of the project impacted:
-
mcpgateway- API -
mcpgateway- UI (admin panel) -
mcpgateway.wrapper- stdio wrapper - Federation or Transports
- CLI, Makefiles, or shell scripts
- Container setup (Docker/Podman/Compose)
- Other (explain below)
🔁 Steps to Reproduce
- Generate a new token via the UI or API.
- Decode the generated token using the appropriate secret key and note the jti value in the payload.
- Query the email_api_tokens table in the database and locate the entry corresponding to the generated token.
- Compare the jti value from the decoded token with the one stored in the database, observe that they do not match.
🤔 Expected Behavior
The jti generated during token creation should be stored in the database exactly as it appears in the JWT payload. Both values should match and uniquely identify the same token instance.
💥Impact:
Token revocation or validation mechanisms relying on jti fail.
Security audit trails may be inaccurate.
Potential security risk if invalid or mismatched tokens are treated as valid.
🧠 Environment Info
You can retrieve most of this from the /version endpoint.
| Key | Value |
|---|---|
| Version or commit | e.g. v0.9.0 or main@a1b2c3d |
| Runtime | e.g. Python 3.11, Gunicorn |
| Platform / OS | e.g. Ubuntu 22.04, macOS |
| Container | e.g. Docker, Podman, none |
🧩 Additional Context (optional)
Add any configuration details, flags, or related issues.