Is it possible to sign out all other user sessions except the current one? #5243
-
Hello community! I was wondering if it is possible to sign out all other user sessions except the current one? My company has a paid plan that is charged by the number of seats, and that could be exploited with a public company user that everyone has access to. One way to help this exploit would be to only use magic links to sign in, because companies tend to have personal emails. How can this problem be solved? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 1 reply
-
Well, logout kills all "sessions" currently. That function mainly logs a message and deletes all refresh tokens from auth.refresh_tokens table for the uid. From gotrue:
You might be able to trigger on before insert to that table (new refresh token created on login) and in that trigger delete all refresh_tokens for that uid. You probably need to do some checking on when else inserts occur to table, if any. With the deleted tokens any other user will timeout from use of the account on your token expiration setting. |
Beta Was this translation helpful? Give feedback.
-
As an update to this thread, there is now a |
Beta Was this translation helpful? Give feedback.
-
Is there any way to log out a specific user from an admin panel? There are situations where users who can't log in request it, or when we want to log out a user because we suspect malicious activity, and invite them to log back in. Is there any way to do that? |
Beta Was this translation helpful? Give feedback.
Well, logout kills all "sessions" currently. That function mainly logs a message and deletes all refresh tokens from auth.refresh_tokens table for the uid.
From gotrue:
You might be able to trigger on before insert to that table (new refresh token created on login) and in that trigger delete all refresh_tokens for that uid. You probably need to do some checking on when else inserts occur to table, if any.
With the…