usefulteam / jwt-auth

WordPress JSON Web Token Authentication
https://wordpress.org/plugins/jwt-auth/
124 stars 50 forks source link

How can I reset / remove token from user? #102

Open richard-313 opened 1 year ago

richard-313 commented 1 year ago

Hi, I want only one user can use the token. If the same user wants to connect on another device, he has to relogin on this new device. I thought, I can do it, by reset or remove all user related token, when user login?

dominic-ks commented 1 year ago

Hello, @s72817,

Have you tried using the device parameter when requesting a token (I think) this can be validated in subsequent calls, maybe @pesseba can confirm?

richard-313 commented 1 year ago

Hi @dominic-ks thanks for your reply. I think devices are designed for parallel use:

"This means that a refresh token cannot be shared. To allow multiple devices to authenticate in parallel without losing access after another device re-authenticated, use the parameter device with the device identifier to associate the refresh token only with that device."

I think, the (only) possible way is, to immediately creating refresh token after login.

pesseba commented 1 year ago

Hi @dominic-ks and @s72817 there is a way to block all tokens. This feature happens when user reset their password. The function that do this is private block_all_tokens( $user_id ) in Devices, but you can call the callback for password reset (it will call the block_all_tokens):

$user = get_user_by('id', 26 ); //get the user you want...
$devices = new \JWTAuth \Devices();
$devices->after_password_reset($user, '');