The project already includes a revokeAllRefreshTokens(userId) function that removes all refresh tokens belonging to a user from Redis. However, this functionality is not currently exposed through an API endpoint or the user interface. As a result, users cannot invalidate all active sessions if they suspect their account has been compromised.
Problem
When a user logs out from one device, other active sessions remain valid until their refresh tokens expire. Since refresh tokens are valid for up to 30 days, a stolen refresh token could continue to be used during that period if it is not explicitly revoked.
The project already includes a revokeAllRefreshTokens(userId) function that removes all refresh tokens belonging to a user from Redis. However, this functionality is not currently exposed through an API endpoint or the user interface. As a result, users cannot invalidate all active sessions if they suspect their account has been compromised.
Problem
When a user logs out from one device, other active sessions remain valid until their refresh tokens expire. Since refresh tokens are valid for up to 30 days, a stolen refresh token could continue to be used during that period if it is not explicitly revoked.