Logout for "all":"true" should be possible without providing a current refresh_token

nhost / hasura-backend-plus

🔑Auth and 📦Storage for Hasura. The quickest way to get Auth and Storage working for your next app based on Hasura.

https://nhost.github.io/hasura-backend-plus/

MIT License

1.17k stars 187 forks source link

Logout for "all":"true" should be possible without providing a current refresh_token #617

Closed dewulf closed 3 years ago

elitan commented 3 years ago

Do you mean that the user provides the JWT Token instead?

dewulf commented 3 years ago

Thanks, Elitan for your answer! And thanks for moving forward with such a great product. Removing all current refresh_tokens is currently not possible without providing a valid current one. For me, it would make more sense if providing no refreh_token at all in the case when "all":"true" and then to simply remove all existing refresh_tokens from the table.

elitan commented 3 years ago

Ah, you want to clear all refresh tokens for all users? Is that what you're trying to do?

Our intent was that all: true would sign out the user from all other devices. So all: true means that all the logged-in user's refresh token would be deleted. Not all refresh token for every user.

dewulf commented 3 years ago

Ok, I understand. It makes full sense. The only misunderstanding from my side why to provide a concrete refresh token when I want to delete all tokens for a specific user. But I see now, that this behavior is realized in auth/token/revoke. Thanks for your support, very appreciated.