Summary

During the security validation of our Concourse instance, we discovered that user access tokens are not deleted from the database upon logout. As a result, the token remains valid and can still be used to access the Concourse API until it expires.

Steps to reproduce

1. Start Concourse locally using docker-compose.
2. Log in to the Concourse UI.
3. Copy the skymarshal_auth token from the browser's storage.
4. Log out from Concourse.
5. Use the saved token from step 3 to access an authenticated API endpoint (e.g., http://localhost:8080/api/v1/jobs).

Expected results

Upon logout, the access token should be revoked or deleted from the database, making it immediately invalid for further API access.

Actual results

The token remains valid until its expiration time, allowing continued access to the Concourse API even after the user has logged out.

Additional context

After a quick investigation, I found that on logout, only the skymarshal_auth token is removed from the browser cookie - no action is taken to revoke or delete the token from the database.

Triaging info

• Concourse version: 7.13.1
• Browser (if applicable): N/A
• Did this used to work? N/A