dr-bonez
commented
4 years ago Login was designed with this in mind, the way I would recommend doing this is during logout, keep a record of the jti in the token used, along with it's expiration. Once the token is expired, the record can be cleaned out. Auth tokens should be rejected if they contain a jti in the table.
mcrakhman
Invalidates a user access token
Invalidates an existing access token, so that it can no longer be used for authorization. The device associated with the access token is also deleted.
Device keys <#device-keys>_ for the device are deleted alongside the device.Spec: https://matrix.org/docs/spec/client_server/r0.6.0#post-matrix-client-r0-logout
Some helpful steps:
delete_devicefn toStoretrait and to the implementationsPostgresStoreandMockStore