jwt-auth icon indicating copy to clipboard operation
jwt-auth copied to clipboard
verified publisher icon usefulteam

How can I reset / remove token from user?

Open richard-313 opened this issue 2 years ago • 3 comments

Hi, I want only one user can use the token. If the same user wants to connect on another device, he has to relogin on this new device. I thought, I can do it, by reset or remove all user related token, when user login?

richard-313 avatar Apr 20 '23 10:04 richard-313

Hello, @s72817,

Have you tried using the device parameter when requesting a token (I think) this can be validated in subsequent calls, maybe @pesseba can confirm?

dominic-ks avatar Apr 20 '23 15:04 dominic-ks

Hi @dominic-ks thanks for your reply. I think devices are designed for parallel use:

"This means that a refresh token cannot be shared. To allow multiple devices to authenticate in parallel without losing access after another device re-authenticated, use the parameter device with the device identifier to associate the refresh token only with that device."

I think, the (only) possible way is, to immediately creating refresh token after login.

richard-313 avatar Apr 20 '23 17:04 richard-313

Hi @dominic-ks and @s72817 there is a way to block all tokens. This feature happens when user reset their password. The function that do this is private block_all_tokens( $user_id ) in Devices, but you can call the callback for password reset (it will call the block_all_tokens):

$user = get_user_by('id', 26 ); //get the user you want...
$devices = new \JWTAuth \Devices();
$devices->after_password_reset($user, '');

pesseba avatar Apr 24 '23 11:04 pesseba