Hi!! Do you know if there are some method to block or invaldate session user?

It depends on what you need to block them on

basically don't haver permisions until random period of time

sorry, I don't think I understand, can you be more specific? An example would be good

For example,one user is logged in with their JWT. Imagine that some kind of admin wants invalidate their current session during a period of time or wants to revoke their web session. It's that possible?

Preventing users from signing in for a time isn't something that's built-in, but there's a few things worth investigating. Quick disclaimer: I haven't implemented something like this myself, so I have no idea if it's safe to do. If you try it, it's your responsibility to fix it if it breaks anything, but let us know how it goes if you do decide to try it. The

auth

schema includes a

refresh_tokens

table, which includes columns such as

revoked

and

user_id

. It might be possible to setup a trigger so that when a new token is added to the

refresh_tokens

table, check if it matches a certain user ID, then set

revoked

to

true

. You could probably add a column (e.g.

banned_until

) to a

public.users

table. When the trigger runs, check that table, then check the

banned_until

column. If the value is set and the time hasn't yet passed, then set

revoked

to true.

What @User is suggesting will only avoid the user from refreshing their token when the current one expires, however, it will have no effect while the user's current JWT is still valid. By default, JWT tokens are valid for 60min (you can see this in the Dashboard: Auth -> Settings -> JWT expiry), but you can reduce it to any number you want. The shorter it is, the better control you have over user's session, but it also increases the number of refresh requests that the server needs to handle (so it's a tradeoff)