Token is not invalidated

[awkward-minion]

Bug report

The JWT token is not being invalidated

Describe the bug

The request to protected resources must not be allowed when JWT token is invalidated.

The token invalidation can be done using either of the following ways

1. curl curl -X DELETE '{backend_url}/store/auth' -H 'Authorization: Bearer {access_token}'
2. medusa client client.auth.deleteSession()

System information

Medusa version (including plugins):

1. @medusajs/medusa": "^1.20.4"
2. @medusajs/medusa-js": "^6.1.8"
   Node.js version: v20.11.0
   Database: postgres
   Operating system: MacOS Ventura
   Browser (if relevant): -

Steps to reproduce the behavior

Pre-reqs: Medusa is installed and configured properly with a database.

1. Login into app as customer

      curl -X POST '{backend_url}/store/auth' \
      -H 'Content-Type: application/json' \
      --data-raw '{
         "email": "[email protected]",
         "password": "supersecret"
      }'

2. Logout customer

   curl -X DELETE '{backend_url}/store/auth' \
   -H 'Authorization: Bearer {access_token}'

3. Try to retrieve the customer details

   curl '{backend_url}/store/auth' \
   -H 'Authorization: Bearer {access_token}'

   This should fail as the token was invalidated in step: 2

Expected behavior

As the token is invalidated, the sub sequent requests to protected entity must throw 401 error.

Screenshots

NA

Code snippets

NA

Additional context

401 is thrown in one case, i.e, when the Authorization header is not present.

[adevinwild]

I think it's the intended behavior based on the description property here :
https://github.com/medusajs/medusa/blob/v1.20.6/packages/medusa/src/api/routes/admin/auth/delete-session.ts

You'll probably have to handle this one yourself