Today there's no way to invalidate an auth token via the API. Which means when a user logs out via the UI, the frontend can't tell the backend to remove the active token connected to the user. This token can still be used to make API requests.
This isn't necessarily a big security threat as long as the frontend promptly removes all references to this token, and the token itself is given a very short lifetime. However, I want to share some reasons in favor of deleting these tokens in the backend on logout.
I did say this isn't a big security threat. However, it could still give malicious actors access to more users' active tokens in case database access is gained. Compared to if we would remove these tokens on user logout.
Keeping the tokens alive even after the user has logged out means we can't trust thevalidate_auth* API route response(according to my personal expectations that the it return falsy after the user has logged out).
I believe it's an expectation from the user that there be no way to take actions as the user after they've logged out.
* I'm developing restricted frontend routes which requires the user to be logged in, such as the "create a post"-page. I'd like to use the validate_auth route to know whether the user is logged in or not. And direct the user to the login page if I receive a non-OK response.
Today there's no way to invalidate an auth token via the API. Which means when a user logs out via the UI, the frontend can't tell the backend to remove the active token connected to the user. This token can still be used to make API requests.
This isn't necessarily a big security threat as long as the frontend promptly removes all references to this token, and the token itself is given a very short lifetime. However, I want to share some reasons in favor of deleting these tokens in the backend on logout.
validate_auth* API route response(according to my personal expectations that the it return falsy after the user has logged out).* I'm developing restricted frontend routes which requires the user to be logged in, such as the "create a post"-page. I'd like to use the
validate_authroute to know whether the user is logged in or not. And direct the user to the login page if I receive a non-OK response.Open to discuss.