cms icon indicating copy to clipboard operation
cms copied to clipboard
verified publisher icon code100x

Single session support

Open hkirat opened this issue 1 year ago • 9 comments

Allow only single login for a user at a time Apparently not possible using the credentials strategy in next-auth so open to ideas

hkirat avatar Feb 21 '24 06:02 hkirat

By tracking sessions for each user, enforcing single logins becomes feasible. If someone attempts to log in using a friend's credentials, two sessions with the same credentials would occur, resulting in the automatic logout of one session. This ensures adherence to a single-login policy, maintaining security and preventing unauthorized access.

Vishal2002 avatar Feb 21 '24 07:02 Vishal2002

I think the easiest way to implement this should be to save the device id or unique identifier, this can be generated by https://www.npmjs.com/package/@fingerprintjs/fingerprintjs (this one require license for commercial use) or others that are OS. Actually by thinking we can just get the fingerprint of the browser.

When user signin we save the fingerprint to the db and in the session, after that the only thing we have to do is check if the session fingerprint matches the db one because the db one will change each time the user signin from different device/browser (we keep only the last signin one).

idk if this makes sense, probably there are better solutions.

Actually maybe we dont even need a fingerprint, a jwt token should work fine in this case i think

@hkirat

siinghd avatar Feb 22 '24 05:02 siinghd

The question is how do we logout people on demand.

hkirat avatar Feb 22 '24 06:02 hkirat

The question is how do we logout people on demand.

So like manually logout the user right? In this case:

admin search’s the user Finds a card of the user with logout button On button click a random uuid o anything is generated and set as fingerprintid or token in the db

this way the frontend already checking for mismatch between fingerprint/token present in the user session and db will do the logout , like in nextjs middleware the first things comes to my mind

siinghd avatar Feb 22 '24 08:02 siinghd

@siinghd so frontend will need to polling to server to check the currect session/fingerprint id? and if mismatches with browser, it will return the logout signal. then browser will logout user. Is it the thing that you are saying?

initeshjain avatar Feb 25 '24 13:02 initeshjain

That sounds easily bypassable tho user can simply hijack that request I might be over engineering here tho

hkirat avatar Feb 25 '24 15:02 hkirat

That sounds easily bypassable tho user can simply hijack that request I might be over engineering here tho

Let me implement this, I think it should work

siinghd avatar Feb 25 '24 15:02 siinghd

Let me know if this sounds logical:

Like user logs in to his/her Id & then we use a Redis DB(I think Redis works well for scalable apps so I said redis, feel free to choose yours) & make a flag at DB level {userLoggedIn: Initially false when user is not logged in} & when the user loggs into the account we change that flag to true & if another user tries to log in & we just check if the flag != true then we let the user log in & if flag == true then we show a message saying User already logged in.

[there is a problem saying that user directly closes the browser in that case I think if that's the case we can set a time period if user is not interacting after a while we can logout them by default like Banking apps]

Let me know your thoughts on it.

mrpaaradox avatar Feb 25 '24 15:02 mrpaaradox

@Adiiittt this is other way around. We need to login other user and logout previous session.

initeshjain avatar Feb 25 '24 16:02 initeshjain