nuxt-auth-utils icon indicating copy to clipboard operation
nuxt-auth-utils copied to clipboard

Published 20 hours ago verified publisher icon Atinux

add session revocation

Open patrick-hofmann opened this issue 1 year ago • 4 comments

Add possibility to revoke sessions to prevent session stealing from cookies for logged out users

patrick-hofmann avatar Oct 24 '24 20:10 patrick-hofmann

Thank you @patrick-hofmann

But I believe in order to do this we need to properly think of creating a more generic Session Storage so it can be used instead to track active session instead of storing revoked one.

If I am not mistaken I believe @Barbapapazes is working on something like this.

atinux avatar Oct 27 '24 13:10 atinux

Hello 👋,

Indeed, I'm working on something but I can't give an ETA (I'm making progress but it's bigger than expected).

With a cookie store, you can't revoke a session but you don't need to store the session. It's a compromise compared to a database session.

You can't revoke a cookie session because you're using the user's device as a shop and so the shop isn't centralised. For this reason, it is not possible to get all the sessions of the same user.

If the session is on a stolen device, you'll never be able to revoke a session. With a database session, a user can view all active session and delete them (on the server) so the cookie won't be usable.

Barbapapazes avatar Oct 27 '24 14:10 Barbapapazes

Hi @atinux and @Barbapapazes

Can I help you with your work in progress solution?

Best regards, Patrick

patrick-hofmann avatar Oct 27 '24 14:10 patrick-hofmann

Hi @atinux and @Barbapapazes 👋

i've added a PR #265 to provide a server side session and therefore allow revoking sessions by logging out the user. I've used useStorage in order to persist the data since it's less effort also for beginners in contrast to a full database implementation and has less dependencies.

Maybe @Barbapapazes we can merge your progress at some point?

For a complete server side handling of users with different login methods we could think of nuxt-auth-utils being an identity provider itself and federating the login to the different providers. This way sessions of a user with a unique id across providers could be related and managed across devices, but I think this is an even bigger decision/implementation and i'm not sure if this is still the scope of this module or if this should be a separate module (nuxt-auth-idp?)

patrick-hofmann avatar Oct 30 '24 12:10 patrick-hofmann