maelstrom icon indicating copy to clipboard operation
maelstrom copied to clipboard

Published 20 hours ago verified publisher icon maelstrom-rs

Session management: logout

Open chrisabruce opened this issue 4 years ago • 2 comments

Invalidates a user access token

Invalidates an existing access token, so that it can no longer be used for authorization. The device associated with the access token is also deleted. Device keys <#device-keys>_ for the device are deleted alongside the device.

Spec: https://matrix.org/docs/spec/client_server/r0.6.0#post-matrix-client-r0-logout

Some helpful steps:

  • add route to routes
  • add handler (maybe under registration or auth)
  • add delete_device fn to Store trait and to the implementations PostgresStore and MockStore

chrisabruce avatar Apr 06 '20 11:04 chrisabruce

Login was designed with this in mind, the way I would recommend doing this is during logout, keep a record of the jti in the token used, along with it's expiration. Once the token is expired, the record can be cleaned out. Auth tokens should be rejected if they contain a jti in the table.

dr-bonez avatar May 01 '20 18:05 dr-bonez

Started working on the ticket

mcrakhman avatar May 09 '20 08:05 mcrakhman