[CAPI] JWT auth cache issue

[LaurenceJJones]

What happened?

Summary

When migrating or reinstalling CrowdSec, restoring a backed-up online_api_credentials.yaml after a fresh install can leave the agent using a stale, cached JWT stored in the local database. On startup, CrowdSec does not verify that the JWT’s username matches the credentials in online_api_credentials.yaml, so it reuses the cached token. This causes enrollment issues and mis-attributed alerts until the JWT expires.

Impact / Side effects

• Alerts are attributed to the wrong username (from the cached JWT) for the period between token creation and token expiry.
• Enrollment remains offline until the cached JWT expires or is cleared.
• Running console enrollment appears as a new machine, because the JWT corresponds to the old username.

Workarounds

• Clear the cached JWT from the local database, then restart CrowdSec so it re-authenticates.
• Wait a minute after installation since the cache JWT is compared agaisnt creation time of > 1 minute, if you wait at least a minute before restarting the CrowdSec service it will not reuse the cached JWT.

What did you expect to happen?

Expected Behavior

• On startup (or when credentials change), the agent should validate the cached JWT against the username in online_api_credentials.yaml.
• If there’s a mismatch or the token cannot be validated, the agent should discard the cached JWT and re-authenticate using the credentials file so enrollment comes back under the correct account/machine.

Actual Behavior

• The agent reuses the cached JWT from the DB even when the credentials file has been replaced with different (restored) credentials.
• Enrollment stays broken and alerts—if any—are sent under the wrong username until the JWT expires.

How can we reproduce it (as minimally and precisely as possible)?

Follow the steps:

1. Install CrowdSec and Enroll into the console.
2. Move mv /etc/crowdsec/online_api.credentials.yaml{,.bak}
3. cscli capi register and wait at least a minute.
4. To simulate a "fresh install" just simply restart CrowdSec to ensure the JWT is populated in database
5. mv /etc/crowdsec/online_api.credentials.yaml{.bak,}
6. systemctl restart crowdsec

Now the JWT token in the database is reused even though the file on disk has changed, in half an hour the console will report the engine has not contacted and classified as offline.

Anything else we need to know?

No response

Crowdsec version

$ cscli version
# paste output here

OS version

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Enabled collections and parsers

$ cscli hub list -o raw
# paste output here

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here

On Windows:

C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

paste output here

Config show

$ cscli config show
# paste output here

Prometheus metrics

$ cscli metrics
# paste output here

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

[github-actions]

@LaurenceJJones: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.