Home > Software engineering >  Firebase - Revoking refresh token doesn't delete all active sessions
Firebase - Revoking refresh token doesn't delete all active sessions

Time:06-03

I am trying to sign out the account of a user in multiple devices in which it is active.

For this, in my backend, I am doing:

async function deleteAccount(userId) {
  // Close all the current active sessions
  await closeAllUserActiveSessions(userId);

  return auth.deleteUser(userId);
}

async function closeAllUserActiveSessions(userId) {
  await auth.revokeRefreshTokens(userId);
  const userRecord = await auth.getUser(userId);
  const timestamp = new Date(userRecord.tokensValidAfterTime).getTime() / 1000;

  functions.logger.log(`Tokens revoked at: ${timestamp}`);
}

I supposed that, after calling auth.revokeRefreshTokens(userId) the account would be automatically signed out on all devices, but that's not the case.

Is it possible to sign out all sessions? What's the use of auth.revokeRefreshTokens(userId)?

I am just trying to logout my user account (from all devices) when the user changes its password or deletes it account... Any ideas?

CodePudding user response:

The behavior you're seeing is as expected: ID tokens are bearer tokens and cannot be revoked once they are minted.

If you want existing ID tokens to be rejected after revoking the refresh token, you'll need to detect the revocation in each backend service that uses the ID tokens to establish the caller's identity.

There is no direct notification to the other clients when a user changes their password, so you'd have to send such a notification yourself.

Page link:https//www.codepudding.com/Softwareengineering/429057.html

Prev:How to configure low-level socket properties for a web server (Tomcat) embedded in my spring-boot ap
Next:Firestore how to fetch specific data with specific user id in Flutter
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding