How can I invalidate an access token?` await supab...
# helpe
Epailes
06/04/2022, 12:25 AMHow can I invalidate an access token?
await supabase.auth.signOut()n
Needle
06/04/2022, 12:25 AMHello @Epailes!
This thread has been automatically created from your message in #843999948717555735 a few seconds ago.
We have already mentioned the @User so that they can see your message and help you as soon as possible!
Want to unsubscribe from this thread?
Right-click the thread in Discord (or use the ``...`` menu) and select "Leave Thread" to unsubscribe from future updates.
Want to change the title?
Use the ``/title`` command!
We have solved your problem?
Click the button below to archive it.
e
Epailes
06/04/2022, 12:28 AMWhen I invoke the signOut() method, I expect the access token used for that supabase client session to stop working.
To test it, I just set it up so when the user clicks logout it invokes an endpoint that calls the supabase signOut method.
I don't delete the cookie or anything, and if I refresh the page the access_token still successfully queries the database.
I know I can just delete the access_token cookie and they'll be logged out on that device, but I want signOut to stop the access token from working.
Eg what if someone's account is compromised and they signout, it won't stop the other session from still performing malicious actions
g
garyaustin
06/04/2022, 12:31 AMjwt is good for the length of time it was set to expire (this is not Supabase specific). You can shorten the time of expire to minutes, at the cost of more refreshes.
n
Needle
06/04/2022, 12:31 AMEpailes (2022-06-04)
e
Epailes
06/04/2022, 12:34 AMAh I'd misunderstood when it said session_id, I assumed that meant it was token based and thus could be invalidated.
Is there any way to use sessions with supabase rather than fully fledged jwts?
g
garyaustin
06/04/2022, 12:40 AMI'm not the best one to opine on http type server sessions in the REST world, if that is what you are referring to. The supabase "session" in the client is just a construct they use to store the jwt and user info, and not directly related to server sessions (as I'm familiar with them from the PHP world). Since I jumped in your question you may want to ask again on that front, as once a thread gets going, the eyes on it go down...
j
jaitaiwan
06/06/2022, 12:25 PM@Epailes from what I know, you’d have to implement that function yourself, or you could update the RLS policies to check a token against a list of invalidated tokens