Skip to content

Implement "Logout from All Devices" using revokeAllRefreshTokens() #2

Description

@astalakshmi3

The project already includes a revokeAllRefreshTokens(userId) function that removes all refresh tokens belonging to a user from Redis. However, this functionality is not currently exposed through an API endpoint or the user interface. As a result, users cannot invalidate all active sessions if they suspect their account has been compromised.

Problem

When a user logs out from one device, other active sessions remain valid until their refresh tokens expire. Since refresh tokens are valid for up to 30 days, a stolen refresh token could continue to be used during that period if it is not explicitly revoked.

Metadata

Metadata

Assignees

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions