Is it possible to sign out all other user sessions except the current one?

[anttiriski]

Hello community!

I was wondering if it is possible to sign out all other user sessions except the current one? My company has a paid plan that is charged by the number of seats, and that could be exploited with a public company user that everyone has access to. One way to help this exploit would be to only use magic links to sign in, because companies tend to have personal emails.

How can this problem be solved?

[GaryAustin1]

Well, logout kills all "sessions" currently. That function mainly logs a message and deletes all refresh tokens from auth.refresh_tokens table for the uid.

From gotrue:

// Logout deletes all refresh tokens for a user.
func Logout(tx *storage.Connection, instanceID uuid.UUID, id uuid.UUID) error {
	return tx.RawQuery("DELETE FROM "+(&pop.Model{Value: RefreshToken{}}).TableName()+" WHERE instance_id = ? AND user_id = ?", instanceID, id).Exec()
}

You might be able to trigger on before insert to that table (new refresh token created on login) and in that trigger delete all refresh_tokens for that uid. You probably need to do some checking on when else inserts occur to table, if any.

With the deleted tokens any other user will timeout from use of the account on your token expiration setting.
I've not tried any of this, just an idea if nothing else comes along.

[J0]

As an update to this thread, there is now a scope parameter on signOut which allows you to specify whether you wish to kill all sessions, all other sessions except current session and more.

[Xananax]

Is there any way to log out a specific user from an admin panel? There are situations where users who can't log in request it, or when we want to log out a user because we suspect malicious activity, and invite them to log back in. Is there any way to do that?

[GaryAustin1]

There is no way to impact a user's devices from the Supabase servers directly. They will be signed in until their jwt's expire.

You could probably create an SQL script to delete all the refresh tokens for their user id from auth.refresh_tokens. This would stop all devices for the user from refreshing their sessions, similar to signout with all sessions set.